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/  LOOKING  FOR  TROUBLE 

Digex’s  CS0  isn’t  waiting 
for  hackers  to  find  her. 
She’s  going  after  them  first. 
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How  to  avoid  the  blame  game 
for  security  decision  making 
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rewall.  This  is  a  lot 


As  of  today,  security  is  not  just  about  what  you  can 


Start  with  Intrusion  Prevention  Solutions  from  McAfee  Security®  and  dis¬ 
cover  how  to  go  beyond  merely  detecting  threats  to  preventing  them  altogether. 
With  McAfee®  System  Protection  and  Network  Protection  Solutions,  your  business 
is  completely  protected — from  the  core  to  the  edge  of  your  network,  including 
servers  and  desktops. 


It's  about  what  you  can 


Start  building  productivity  faster.  Knowing  your  network  and  systems  are 
safe  from  both  known  and  unknown  threats,  you'll  be  free  to  focus  on  bigger 
picture  issues,  like  maximizing  the  ROI  of  your  technology  investment. 


Start  saying  yes  to  users  more.  Users  want  full  Internet  access,  they  want 
laptops,  they  want  PDAs,  they  want  wireless,  and  they  don't  want  to  hear  about 
how  security  concerns  outweigh  their  needs.  Now  they  don't  have  to.  Because 
with  McAfee  Security  you  can  start  giving  them  the  technologies  they  need 
without  giving  up  the  security  your  enterprise  demands. 

Start  growing  securely.  When  you're  secure  you  can  start  thinking  more 
about  how  ideas  spread  and  less  about  how  network  threats  spread.  You  can 
start  expanding  what  your  network  can  do,  not  simply  reducing  what  hackers 
can  do.  You  can  start  chasing  what  you're  after,  not  what's  after  you. 

Starttodayatstart.mcafeesecurity.com 


Network  Associates* 

Network  Associates  and  McAfee  Security  are  registered  trademarks  or  trademarks  Of  Network  Associates.  Inc.  and/or  its  affiliates  in  the  US 
and/or  other  countries.  All  other  registered  and  unregistered  traderrlarks  herein  are  the  sole  property  of  their  respective  owners.  ©  2003 
Networks  Associates  Technology.  Inc.  All  Rights  Reserved 
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“I  thought, 

Am  I  really 
the  one  who’s 
going  to  bloc 
this  thing?” 

-EDUARDO  DARDET,  INFORMATION 
SECURITY  DIRECTOR,  JM  FAMILY 
ENTERPRISES,  PAGE  50 


24  A  Secure  Infrastructure 

SECURITY  COUNSEL  Bill  Boni,  CISO  of  Motorola, 
answers  readers’  questions  on  information  security. 

26  Creeping  Determinism 

FLASHPOINT  Security  departments  that  rely  too  heavily 
on  their  outsourcer  to  troubleshoot  problems  could  be 
heading  for  disaster.  By  David  H.  Holtzman 

60  Policy  Police 

CSO  UNDERCOVER  It’s  easy  enough  to  write  a  security 
policy,  but  the  devil’s  in  the  details  when  you  start 
talking  about  enforcement. 


30  cover  story  Money  Well  Spent 

SECURITY  SPENDING  When  it  comes  to  budgets,  less 
can  be  more.  Here  are  seven  tips  to  squeeze  every  bit 
out  of  yours.  By  Daintry  Duffy 

38  Big  Savings,  Big  Risk 

OFFSHORE  OUTSOURCING  U.S.  companies  continue  a 
pell-mell  rush  into  offshore  outsourcing  of  software 
development.  Those  that  haven’t  stopped  to  look  at 
global  intellectual  property  law  are  in  for  a  big  surprise. 
By  Michael  Fitzgerald 

44  Bring  It 

PROFILE:  DIGEX  The  best  defense  isn’t  sitting  around 
with  your  fingers  crossed.  Digex  CSO  Pamela  Fusco 
would  rather  take  the  battle  to  the  hackers. 

By  A  nn  Harrison 


57  Machine  Shop 

How  to  secure  Web  services:  The  next 
new  (vulnerable)  thing.  By  Simson  Garfinkel 
TOOLBOX  Integrating  network  and  physical  security 


15  Briefing 

This  is  only  a  test;  A  little  off  the 
bottom  line;  Costly  backup; 

We  never  forget  a  face;  Lights  out 


22  Wonk 

Patriot  Act  roadshow:  Marketing, 
rather  than  merits,  will  likely 
determine  the  fate  of  President 
Bush’s  signature  legislation. 

By  Julie  Hanson 


50  Fault  Line 


LEADERSHIP  Welcome  to  a  world  where  projects  fail, 
computers  crash  and  secrets  escape.. .and  you  don’t 
have  to  be  the  fall  guy.  By  Thomas  Wailgum 


64  Debriefing 

Blackout  vs.  The  Worm 
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Daily  Dose  of  CSO 

If  you  need  more  than  the  monthly  fix 
of  articles  and  analysis  of  the  security 
industry  that  CSO  brings  you  each  issue, 
visit  our  website  ( www.csoonline.com ) 
for  more  of  the  same  smart  writing  and 
keen  analysis  in  digital  form.  Bookmark 
CSOonline.com  so  that  you  won't  miss 
the  new  content  we  post  each  weekday. 
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TALK  BACK  Tell  us  what  you  think. 

Is  intrusion  detection  a  dead  technology? 
Visit  each  week  to  discuss  this  and  other 
controversial  topics. 

www.csoonline.com/talkback 

TUESDAY 

SECURITY  CHECK  Quick  and  easy. 

Vote  in  our  weekly  security  poll.  You  may 
also  check  the  results  of  previous  polls, 
such  as  “What’s  your  company  policy  on 
employees  using  Wi-Fi  devices?”  Nearly 
two-thirds  of  respondents  said  Wi-Fi 
devices  are  forbidden. 
www.csoonline.com/poll 
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ANALYST  REPORTS  We’ve  gathered 
research  and  analysis  from  respected 
sources  and  put  it  in  one  convenient 
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says  radio  frequency  identification  will 
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number  mean? 


It  means  there’s  an  easier  way  to  find  CSO 
articles  online  than  typing  URLs.  Use  the 
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related  content  on  the  Web.  v 
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Chaos. 


Control. 


Take  control  of  your  Internet  security. 


Introducing  Proventia"  Enterprise  Protection  Products.  Just  because  Internet  threats  are 
complex,  doesn't  mean  your  security  has  to  be.  Finally,  a  single,  unified  protection  appliance 
that  protects  more  with  less,  eliminating  the  cost  and  chaos  of  multiple  stand-alone  security 
products.  Proventia"  centrally-managed  products  range  from  detection  up  to  completely 
unified  and  proactive  multi-function  protection  appliances,  combining  firewall,  intrusion 
prevention  and  anti-virus  technologies.  Take  control  of  your  enterprise  security.  Switch  to 
Internet  Security  Systems  today.  800-776-2362.  www.iss.net/takecontrol. 


Q 

Internet 

Security 

Systems' 


©  2003  Internet  Security  Systems,  Inc.  All  nghts  reserved  worldwide. 


I  AM  A  CISCO 
CATALYST  6500. 


I  AM  A  SNARLING 
PACK  OF 
DOBERMANS. 

I  AM  INTEGRATED  SECURITY.  I  HAVE  THE  POWER  TO  PROTECT 
YOUR  NETWORK  FROM  THE  INSIDE, THE  OUTSIDE  AND  FROM 
EVERYWHERE  IN  BETWEEN.  I  ALWAYS  KNOW  WHO  IS  ON  THE 
GUEST  LIST  AND  HAVE  THE  POWER  TO  DENY  THOSE  WHO  AREN'T 
ON  IT.  I  SNIFF  OUT  THREATS  SO  YOU  CAN  STAY  PRODUCTIVE.  I  AM 
MORE  THAN  A  CISCO  CATALYST  6500. 


THIS  IS  THE  POWER  OF  THE  NETWORK.  nOW. 


Cisco  Systems 


cisco.com/securitynow 


Octoberfists 

We  take  full  responsibility.  No  sooner  do  we  run  an  interview 
with  Major  League  Baseball  CSO  Kevin  Hallinan  (see 
Debriefing,  October  2003),  than  an  on-field-and-bullpen 


melee  breaks  out  at  Boston’s  historic  Fenway  Park  during  the  American  League 
Championship  Series  (ALCS).  Once  described  by  writer  John  Updike  (in  an  excess 
of  sentimentality)  as  a  “lyric  little  bandbox,”  Fenway’s  greensward  was  more 
like  a  great  big  mosh  pit  on  Saturday,  Oct.  11,  when  Red  Sox  and  Yankee  players 
tangled  in  a  series  of  testosterone-fueled  sideshows.  It  fell  to  ballpark  security, 
Hallinan’s  office,  Boston  police  and  the  umpiring  crew  to  sort  out  the  mess. 

In  the  midst  of  an  intense  security  incident,  sometimes  what  you  don’t  do 
can  be  as  decisively  important  as  what  you  do.  For  example,  despite  consider¬ 
able  provocation  from  players  like  Boston  pitcher  Pedro  Martinez  and  left 
fielder  Manny  Ramirez,  and  New  York  outfielder  Karim  Garcia,  no  players 
were  ejected.  Nor  was  Yankee  bench  coach  (and  one-time  Sox  manager)  Don 
Zimmer  bounced  after  taking  a  run  at  Martinez  during  the  fourth-inning  fracas 
(this  ill-advised  move  left  the  72-year-old  Zimmer  sprawled  on  the  ground 
when  Martinez  flung  him  aside). 

Somehow,  the  passions  on  the  field  were  kept  from  spilling  over  into  the 
crowd.  Boston  police  reported  very  few  arrests.  The  decision  to  shut  off  beer 
sales  at  Fenway’s  concessions  after  the  fourth  inning  made  a  whole  lot  of  sense 
and  without  question  contributed  to  keeping  the  peace  among  fans  in  the  stands. 
Bv  the  ninth  inning,  when  pitchers  in  the  Yankee  bullpen  allegedly  assaulted  an 
exuberantly  partisan  member  of  the  Red  Sox  groundskeeping  crew,  the  fans  had 
come  out  way  ahead  of  the  players  on  the  behavioral  balance  sheet. 

Hallinan  says  he  talked  to  baseball  Commissioner  Bud  Selig  before  the  ALCS 
got  under  way,  “and  we  agreed  that  this  year  we  were  having  two  World  Series- 
type  events,”  given  the  magnitude  and  intensity  of  the  Yankees-Red  Sox  rivalry. 

Were  there  particular  scenarios  that  Hallinan  and  Red  Sox  security  people 
discussed  as  triggers  for  specified  responses?  “It’s  more  a  sense  of  the  moment,” 


he  says.  “You  obviously  know  what  factors  will  give  you 
some  concern.  Boston’s  a  college  town.  It’s  packed  with 
young  people  who  are  sometimes  looking  to  become 
part  of  the  event.  The  availability  of  alcohol  can  be  a 
factor  in  that.”  Ultimately,  Hallinan  says,  “It’s  our  job 
to  make  sure  the  fans  don’t  get  involved  with  the  events 
on  the  field.” 

Subsequent  reviews  of  the  security  team’s  perform¬ 
ance  in  game  three  broke  along  party  lines,  with  Yan¬ 
kees  executives  crying  foul  and  the  Red  Sox  expressing 
satisfaction.  Major  League  Baseball  was  on  the  side  of 
the  home  team,  praising  the  umps,  the  Fenway  security 
force  and  the  Boston  police  for  offering  the  right 
responses  under  considerable  duress. 

Like  Yankee  starting  pitcher  Roger  Clemens— known 
occasionally  to  be  a  hothead— the  forces  of  law  and 
order  kept  their  cool.  Clemens  controlled  his  temper, 
stuck  to  pitching  and  picked  up  the  win.  For  their  part, 
the  security  folks— abetted  by  their  on-field  counter¬ 
parts,  the  umpires— demonstrated  the  value  of  less  as 
more.  In  a  situation  where  ejections  (which,  if  you  went 
by  the  book,  were  clearly  warranted)  would  have  jacked 
up  the  crowd,  that  temptation  was  wisely  resisted. 

Which  prompts  me  to  ask  for  your  feedback  on  the 
value  of  restraint.  What  situations  have  you  faced  in 
your  job  that  you  believe  turned  out  better  because  you 
backed  away  from  a  hard-line  response?  Is  it  always 
clear  which  approach  is  best?  And  how  do  you  decide? 
Let  me  know  at  mccreary@cxo.com. 
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He  just  found  out  he's  responsible  for  the  video  surveillance  network 


CCTP  would  have  made  his  life  much  easier 

Introducing 

OCCTP" 

video  surveillance  for  the  digital  age 


Want  to  know  more? 

Simply  go  to  anixter.com/CCTP 


CCTP,  engineered  by  Anixter,  is: 

•  The  only  open  architecture,  standards-based, 
structured  video  surveillance  solution 

•  30°/o  less  expensive  than  traditional 
CCTV  systems 

•  Video,  Power  and  Control  over  one  optimized 
UTP  cable 

•  Able  to  handle  existing  analog  technology 

•  Ready  for  the  IP  surveillance  future 


or  call  1  -800-ANIXTER. 


»CCTP  products  exclusively  manufactured  for  Anixter  by  Belden  and  Siemon. 


‘Winner  of  the  “Best  New  Technology"  Award  at  the  Federal  Office  Systems  Expo  (FOSE) 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


CSO  wishes  to  thank  the  following  individuals  for  serving  as 
our  editorial  Board  of  Advisers,  supplying  their  expertise  and 
guidance  to  CSO’s  editors  * 


GEORGE  CAMPBELL 

Past  President,  International  Security 
Management  Association 

CHRIS  CHRISTIANSEN 

Program  Vice  President,  E-Business 
Infrastructure  and  Security  Software,  IDC 

DAVID  CULLINANE 

CISO,  Washington  Mutual 
President,  Information  Systems 
Security  Association 

FRANCIS  D’ADDARIO 

Vice  President,  Partner  and  Asset 
Protection,  Starbucks 

DOROTHY  DENNING 

Professor 

Department  of  Defense  Analysis 
Naval  Postgraduate  School 

DANIEL  E.  GEER  JR. 

Former  CTO,  @Stake 

DAVID  M.  HAGER 

Former  Vice  President,  Network  Security 
and  Disaster  Recovery 
OppenheimerFunds 


JOHN  HARTMANN 

Senior  Director  of  Information  Technology 
The  Home  Depot 

ROBERT  HAYES 

Consultant 

STEVE  KATZ 

President,  Security  Risk  Solutions 

MICKI  KRAUSE 

CISO,  Pacific  Fife  Insurance 

HOWARD  SCHMIDT 

CISO,  eBay 

BRUCE  SCHNEIER 

CTO,  Counterpane  Internet  Security 

KRIZI  TRIVISANI 

Information  Security  Officer 
The  George  Washington  University 

JAMES  WADE 

CISO,  KeyCorp 
President,  (ISC)2 

ROBERT  WEAVER 

Assistant  Special  Agent  in  Charge 
Secret  Service  Electronic  Crimes  Task  Force 
New  York  City 


How  to  Reach  Us 

E-MAIL 

csoletters@CKO.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CSO  Magazine 

492  Old  Connecticut  Path,  P.0.  Box  9208 
Framingham,  MA  01701-9208 

SUBSCRIBER  SERVICES 

phone:  866  354-1125 
fax:  847  564-9453 
e-mail:  cso@omeda.com 

REPRINTS 

For  article  reprints  (500  quantity  or  more),  contact 
Chad  Johnston  at  RSiCopyright  at  651  582-3800 
or  e-mail  csoreprints@rsicopyright.com. 

about  idg  International  Data  Group  (IDG),  the 
leading  global  provider  of  IT  media,  research,  con¬ 
ferences  and  events,  informs  more  people  about 
technology  than  any  other  company  in  the  world. 
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provides  global  market  intelligence,  analysis  and 
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*25.00 

Strong  Authentication 
Web  Access  Control 


Strong  Authentication 


Affordable  Strong  e-Security 


More  e-Security 
for  Less  Money 

Pay  2/3  less  for  strong  (two-factor)  authentication 
Use  the  same  A-Key™  for  an  optional  suite  of  strong 
e-security 


File/Folder/HD  Encryption 
Secure  File  Exchange 
Digital  Cert  Storage 


You  get  strong  authentication  more  versatile  than  that  provided  by 
the  industry  leader,  for  1/3  the  price.*  Plus,  you  can  use  the  same 
A-Key  token  for:  web  access  control,  128-Bit  AES  encryption  for 
files/hard  disk/folders,  secure  file  exchange,  and  storage  for  digital 
certificates.  You  save  even  further  through  ease  of  deployment  and 
management. 


*  Price  comparison  and  token  prices  are  approximated  based  on  average  per  token  retail  price  of  RSA  SecurlD  tokens  (in  25  pack  of  5  year  tokens) 
randomly  surveyed  from  internet  retailers  on  May  13,  2003,  and  the  average  per  token  retail  price  of  Authenex  A-Key  tokens  (in  25  pack  of  tokens)  as  of 
May  13,  2003.  Prices  are  for  tokens  only  and  do  not  include  related  software.  Prices  may  be  subject  to  change  without  notice. 


**  Certain  terms  and  conditions  may  apply. 


Get  Your  FREE  A-Key  Today  * 
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Eliminate  80°/  of  time  spent  resolving  problems 
Solve  50°/  of  downtime  causes 
Empower  higher  IT  productivity 


A  New  School  of  Thought 


What’s  good  for  security  is  good  for  operations. 


Tripwire®  reduces  operational  risk  and  ensures  the  security 
and  availability  of  your  networks.  By  immediately  detecting 
and  pinpointing  change,  Tripwire  provides  stretched  IT  staffs 
with  increased  visibility  and  control.  The  result?  A  high  level 
of  security  and  complete  confidence  in  the  integrity  of  IT 
operations  across  the  enterprise. 

Tripwire  is  the  only  way  to  have  1 00%  confidence 
that  systems  remain  uncompromised. 

The  Integrity  Assurance  Company. 

FREE  30-day  fully-functional  demo  & 

White  paper  “What’s  Good  for  Operations  is  Good  for  Security”, 

Call  1 -800-TRIPWIRE  (874.7947)  or 
Visit  http://cso.tripwire.com  today! 


©  Copyright  2003.  Tripwire  and  the  Tripwire  logo  are  registered  trademarks  of  Tripwire,  Inc. 
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OCCUPATIONAL  FRAUD  LOSSES 


$400  billion 


$600  billion 


SOURCE:  ASSOCIATION  OF  CERTIFIED 
FRAUD  EXAMINERS 
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2002 


CSO  SECURITY  CHECK 


What  s  your  company  policy  on 
employees  using  Wi-Fi  devices? 


Not  sure 


To  participate  in  a  CSO  Security  Check 
poll,  visit  www.csoonline.com. 


FRAUD  You  know  what  they  say  about  a  free  lunch.  So  if  someone  in 
your  organization  seems  particularly  well-fed,  you  might  want  to  take  a 
closer  look  at  their  expense  reports.  A  recent  study  by  the  Association  of 
Certified  Fraud  Examiners  shows  that  fraud  losses  are  on  the  rise.  Accord¬ 
ing  to  Toby  Bishop,  president  and  CEO  of  the  association,  there  are  some 
tried-and-true  methods  to  recognize  expense  fraud  in  your  organization. 

1.  Identify  employees  who  make 
expense  claims  that  are  out  of  line  with 
those  of  colleagues  in  similar  roles.  Note 
the  salespeople  who  spend  significantly 
more  on  entertaining  customers  than 
their  peers  to  generate  the  same  amount 
of  sales. 

2.  Look  for  an  unusually  high  propor¬ 
tion  of  travel  expenses  or  meal  expenses  compared  with  those  of  peers.  This 
might  indicate  fictitious  expenses.  You  should  also  note  transactions  that 
fall  just  under  approval  limits.  If  an  individual  has  a  large  number  of  these, 
that  might  suggest  a  particular  abuse  of  an  opportunity  to  make  undocu¬ 
mented  claims. 

3.  Conduct  your  analysis  of  expense  report  fraud  over  a  long  period  of 

time.  Typical  expense  fraud  lasts  two  years 
before  it  is  discovered. 

As  for  the  increase  in  fraud  losses,  Bishop 
comments  that  although  it  may  reflect  an 
increase  in  the  willingness  of  employees  to 
commit  fraud  against  their  employers,  at 
the  same  time,  it’s  important  to  remember 
that  expense  reimbursement  fraud  can  be 
annoying  but  tends  not  to  be  catastrophic  to 
the  organization.  It’s  important  to  control  it 
and  put  resources  into  detecting  it,  but  at 
the  same  time,  it  needs  to  be  balanced 
against  the  need  to  protect  the  organization 
against  less  frequent  but  more  dangerous 
types  of  fraud  such  as  financial  statement 
fraud— which  can  destroy  companies 
overnight.  -Kathleen  Carr 
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A  Little  Off  the 
Bottom  line 


r  when  the  emergency  broad¬ 


cast  system  sounded  on  your  television  A 
on  Sept.  11, 2001?  One  long  piercing  ; 
beep  followed  by  useful  information 
on  how  to  respond  to  the  news  that 
we'd  just  been  attacked  by  terrorists. 
Perhaps  you  don't  remember  because  it 
never  happened.  Neither  the  Emergency 
Broadcast  System  (EBS)  nor  its  suc¬ 
cessor,  the  Emergency  Alert  Sys-  ^ 
tern  (EAS),  made  a  peep  on  9/11.  vj|£^ 

The  lack  of  noise  sparked  a 
public  debate  about  the  system’s 
usefulness. 

Conceived  as  a  way  for  the  president 
to  communicate  directly  with  the  public  in 
the  event  of  a  “national  emergency,”  EBS 
was  retired  in  the  1990s  and  replaced  with 
EAS  in  1997.  The  national  emergency 
warning  system  went  digital  and  was 
extended  to  state  and  local  authorities, 
enabling  them  to  distribute  emergency 
information  via  broadcast  stations. 

Today,  EAS  is  used  to  communicate 
news  about  hazardous  material  spills, 
severe  weather  and  child  abductions, 
according  to  Reynold  Hoover,  director  of 
National  Security  Coordination  at  the 
Department  of  Homeland  Security.  But 
recent  reports  have  sent  warnings  about 
holes  in  the  system.  A  draft  assessment  of 
EAS  released  by  the  non¬ 
profit  Partnership  for 
Public  Warning  con- 

eluded  that  the  govern-  i-  /; 

ment  needs  to 

rules  about  when  and  ':'  W 

how  EAS  should  be  acti¬ 
vated.  In  cooperation  with  the  FCC,  the 
DHS  is  evaluating  new  ways  to  disseminate 
emergency  information  using  cell  phones 
and  the  Internet.  -Paul  Roberts 


Costly  Backup 


LEGAL,  MATTERS  E-mail,  it’s  gonna 
cost  you.  The  cost  of  litigation  in  suits 
where  the  parties  involved  need  to  access 
information  stored  in  archived  e-mail  is 
rising.  The  cost  to  restore  archive  tapes 
and  search  them  for  relevant  data  ranges 
from  $1,000  to  $3,000 
per  tape.  As  a  result, 
companies  are 
increasingly  asking 
the  courts  to 
shift  some  of  the 
burden  to  the 
party  that 
requests  the  infor¬ 
mation,  according 
to  Margaret  Rimm- 
ler,  vice  president  of 
marketing  at  docu¬ 
ment  storage  com¬ 
pany  Iron  Mountain. 

That  was  the  prob¬ 
lem  that  confronted  U.S. 

District  Court  Judge  Shira  A. 

Scheindlin  in  a  recent  employment  dis¬ 
crimination  case  pitting  Laura  Zubulake,  a 
former  executive  of  UBS  Warburg,  against 
her  old  employer. 

Scheindlin  set  a  new  precedent  by  ask¬ 
ing  Zubulake  to  pay  25  percent  of  the 
$175,000  cost  to  recover  e-mail  messages 


FEDERAL  WORKERS,  IN  FORCE 

One  out  of  every  12  civilian  workers  employed 
by  the  federal  government  is  working  for  the 
Department  of  Homeland  Security.  The  DHS 
employs  more  people  than  the  Treasury, 

Education  and  Labor  departments  combined. 

DEPARTMENT 

CIVILIAN  WORKERS 

PERCENT  OF 

TOTAL 

Homeland  Security 

160,201 

8.6% 

Treasury 

131,924 

7.1% 

Labor 

16,134 

0.9% 

“  f4/,4  yV; 

Education 

4,697 

0.3% 

SOURCE:  TRANSACTIONAI  RECORDS  ACCESS  CLEARINGHOUSE 

from  UBS  backup  tapes  that  Zubulake  felt 
might  contain  information  or  correspon¬ 
dence  relevant  to  her  case. 

In  her  decision,  Scheindlin  rewrote  a 
previous  test— known  as  the  Rowe  test— to 
determine  who  should  bear  the  cost  of  dis¬ 
covery,  saying  that  the  Rowe 
test  tended  to  skew  courts  in 
favor  of  having  requesters 
bear  the  entire  cost  of  discov¬ 
ery,  and  that  such  a  bias 
could  discourage  some 
from  seeking  justice. 

But  companies  worried 
about  such  costly  requests 
need  to  do  more  than 
rely  on  judges  to  keep 
litigation  costs  fair  and 
reasonable,  according  to 
Jennifer  Goddard,  an 
attorney  in  the  Employ¬ 
ment  Practice  Group  of 
Boston  law  firm  Testa, 
Hurwitz  &  Thibeault. 

E-mail  backup  tapes  can  be  a 
gold  mine  of  useful  information,  and  enter¬ 
prising  attorneys  know  it,  she  says. 

“This  is  happening  more  and  more. 
Plaintiffs  are  demanding  that  companies 
produce  messages  on  e-mail  servers,  hand¬ 
helds  and  backup  tapes,”  Goddard  says. 

Companies  that  are  wor¬ 
ried  about  exposure  to  such 
whopping  legal  bills  need  to 
develop  a  comprehensive 
and  consistently  applied  pol¬ 
icy  for  document  retention. 
That  policy  should  spell  out 
what  type  of  information  is 
retained  and  for  how  long. 

“That  way,  if  and  when 
there  is  a  lawsuit,  you  can 
safely  say,  ‘Because  we 
applied  our  document  reten¬ 
tion  policy,  we  only  have  a 
few  backup  tapes  that  have 
relevant  information  on 
them,’”  Goddard  says. 

-Paxil  Roberts 


We  Never 
Forget  a  Face 

BIOMETRICS  Hope  you  like  your 
passport  photo.  The  next  generation 
of  travel-identity  documents  will  con¬ 
tain  a  "smart  chip”  that  will  store  a 
digital  version  of  your  potentially 
unflattering  passport  photo  forever. 

In  addition  to  the  facial  recognition 
data,  the  chips  may  store  standard 
passport  information  such  as  name, 
birth  date,  place  of  birth,  gender,  date 
of  issuance,  passport  number  and  cit¬ 
izenship,  according  to  Kelly  Shannon, 
a  spokesman  for  the  Bureau  of  Con¬ 
sular  Affairs  in  Washington,  D.C. 

Facial  recognition  scanners  at 
points  of  entry  to  the  United  States 
and  other  countries  will  be  able  to 
read  the  contents  of  the  chip,  then 
compare  the  digitized  photo  to  the 
face  of  the  person  presenting  the 
passport. 

“It's  a  way  to  make  sure  the  face 
on  the  passport  is  the  same  as  the 
person  in  front  of  you,”  Shannon  says. 

The  Bureau  of  Consular  Affairs  is 
rushing  to  comply  with  new  legisla¬ 
tion,  including  the  Enhanced  Border 
Security  and  Visa  Entry  Reform  Act 
of  2002.  Section  303  of  this  law 
requires  that  countries  that  have 
bilateral  agreements  with  the  United 
States  for  visaless  travel  certify  that 
they  will  have  a  biometric  visa  pro¬ 
gram  in  place  by  October  2004. 

The  United  States  is  going  to 
establish  similar  requirements  for  its 
own  passports.  To  integrate  biomet¬ 
rics  into  passports  and  other  travel 
documents,  the  Department  of  State 
will  follow  a  blueprint  released  by  the 
International  Civil  Aviation  Organiza¬ 
tion  (ICAO). 

Passport  holders  would  not  need 
to  have  their  faces  scanned  to  obtain 
the  passport.  Instead,  the  passport 
photo  could  be  used  to  generate  the 
facial  recognition  data.  However,  all 
countries,  eventually  including  the 
United  States,  will  have  to  comply 
with  whatever  the  ICAO  decides  to 
use  as  a  standard. 

-P.R. 
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Security  Perspectives  from  Unisys 
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HOT  TOPIC 


Secure  Networks  and 
Outsourcing 

Sunil  Misra  on  How  to  Ensure  and  Insure  Critical 
Systems 

>  Many  organizations  now  feel  safer  outsourcing  network  security  than  keep¬ 
ing  it  in  house.  And  since  security  of  any  kind  is  all  about  risk  management, 
Sunil  Misra,  chief  security  advisor  at  Unisys,  urges  IT  leaders  to  weigh  three 
distinct  network  security  concerns  before  they  make  their  outsourcing  decision: 

►  Risk  avoidance; 

►  Risk  mitigation; 

►  Risk  transfer. 

Simply  put,  if  CIOs  and  CSOs  can’t  successfully  avoid  security  risks,  their 
next  step  is  to  mitigate  them  through  a  mixture  of  informed  people,  standard 
policies,  and  technologies  such  as  firewalls  and  intrusion  protection.  Many 
security  executives,  however,  lack  the  manpower  to  implement  necessary 
technologies,  or  the  budget  to  cover  the  costs.  Faced  with  such  a  problem, 
Information  Systems  executives  increasingly  opt  for  continued  on  page  2 


We  want  to  hear  from  you !  What  are  your  top  priori¬ 
ties?  Let  us  know  what  topics  and  issues  you'd  like  to  see 
covered  in  future  issues  of  Secure  Connections.  Send  your 
ideas  to  us  at  ZeroGapPlanning@unisys.com 


Security  Strategies: 
Survey  Results 

Part  2:  Balancing  Risk  and 
Opportunity 

Second  in  a  series  of  reports  from  the  Unisys 
Security  Landscape  Study 

>  In  an  extensive  series  of  interviews  with  dozens 
of  Fortune  1000  CIOs  and  CSOs,  respondents 
talked  frequently  about  the  dilemma  they  face 
when  balancing  security  risks  with  business 
opportunities. 

Many  CIOs  and  CSOs  want  to  enable  business 
initiatives  but  are  driven  by  their  organizations 
into  security  strategies  that  minimize  the  risks  of 
such  ventures.  Thus,  the  only  way  to  successfully 
secure  the  organization  is  to  promote  a  strategy 
that  balances  risk  and  opportunity. 

Respondents  pinpoint  three  specific  challenges 
in  their  quest  to  enable  business  opportunity 
while  still  protecting  the  company: 

A  lack  of  rational  assessment  models.  IS/secu- 
rity  leaders  need  more  than  opinions  and  judg¬ 
ment  calls  to  drive  policy;  they  need  a  rational  risk 
assessment  model  for  cost-benefit  analysis.  There 
are  no  generally  accepted  security  metrics,  but 
there  is  a  lack  of  consensus  on  how  to  assess  secu¬ 
rity  risks.  How  can  CSOs  relate  and  justify  if  they 
cannot  quantify  such  things  as  loss  of  privacy  or 
collaboration  capabilities,  even  though  they  are 
intuitively  obvious?  The  solution  lies  in  a  hybrid 
model  between  classic  risk  analysis  and  a  busi¬ 
ness-impact  analysis.  Quantitative  and  qualitative 
data  must  be  combined  to  drive  a  metric  for 
measuring  risk  against  business  assets. 

Accountability  vacuum.  Many  CIOs  and  CSOs 
say  that  executives  are  generally  reluctant  to  weigh 
the  security  implications  of  their  projects.  And 
why  should  they?  There’s  continued  on  page  2 
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SECURITY  STRATEGIES  continued  from  pagei 
no  accountability  to  make  them  do  so.  Because  the 
performance  of  other  C-level  executives  is  usually 
measured  in  terms  of  everything  but  security, 
organizations  are  effectively  providing  a  disincen¬ 
tive  for  them  to  include  security.  When  it’s  time  to 
implement,  security  is  inserted  into  projects  mid¬ 
stream,  resulting  in  project  rework  and  missed 
milestones. 

Value  Decisions.  When  it  comes  to  making 
hard  choices  about  the  value  of  certain  issues, 
CSOs  must  rely  on  the  executive  team  as  a  whole 
to  help  make  these  decisions.  And  yet  other  C- 
level  executives  are  generally  reluctant  to  make, 
and  live  by,  hard  value  decisions  such  as  “How 
valuable  is  partner  collaboration  when  weighed 
against  creating  a  hole  in  security?”  All  too  often, 
concepts  are  discussed,  opinions  are  offered  and 
some  lukewarm  consensus  is  reached.  The  lack  of 
a  solid  model  for  assessments  means  that  these 
decisions  have  no  firm  foundation.  ■ 


Customer  Focus:  Financial  Services 

ROUND-THE-CLOCK  SECURITY  FOR  INTERNET  BANKING 
CUSTOMERS 


A  London-based  financial  services 
company  has  leveraged  centuries  of 
banking  tradition  to  build  one  of 
Europe's  most  popular  online  bank¬ 
ing  sites.  Since  its  inception,  the 
website  has  attracted  millions  of  vis¬ 
itors  and  done  more  than  $1  billion  in 
business. 

But  constant  online  access  also 
presents  a  security  challenge.  To 
enable  24/7  security  for  its  online 
clients,  the  company  called  upon 
longtime  partner  Unisys  to  install  an 
intrusion  detection  system  (IDS),  and 
remotely  monitor  the  software  from 
the  Unisys  Security  Command 
Center  in  Amsterdam. 

The  IDS  implementation  is 
designed  to  prevent  malicious  hack¬ 
er  attacks,  which  could  cause  signifi¬ 
cant  financial  loss  through  system 
damage,  downtime,  or  tarnished  rep¬ 


utation.  At  the  same  time,  it  is  meant 
to  help  increase  the  confidence  of 
site  visitors  and  help  pave  the  way 
for  additional  services  to  be  provided 
by  the  bank  over  the  Internet. 

Unisys — with  its  focus  on  Zero-Gap 
Security  Planning — is  a  key  partner 
in  the  planning,  implementation,  and 
ongoing  management  of  the  bank's 
new  intrusion  detection  system. 

How  it  works:  IDS  sets  off  online 
alarms  when  it  detects  activities  that 
suggest  inappropriate  or  unautho¬ 
rized  access  to  the  network.  And  IDS 
is  backed  up  by  the  hands-on  experts 
at  Unisys,  who  have  the  experience 
to  tell  a  real  attack  from  a  false  alert. 
Using  the  holistic  approach  of  Zero- 
Gap  Security  Planning,  companies 
can  maximize  their  security  invest¬ 
ment  by  integrating  security  into 
corporate  business  processes.  ■ 


SECURE  NETWORKS  continued  from  page  1 
network  security  outsourcing. 

“Outsourcing  is  cheaper  because  the  vendor 
can  leverage  its  capital  investments,  and  it  is 
staffed  with  people  who  are  fully  dedicated  to 
security,”  says  Misra.  “People  are  realizing  the 
importance  of  security  in  general,  and  realizing 
that  they  can’t  do  it  themselves.” 


'You  mitigate  risk  as 
much  as  you  can,  and  then 
you  transfer  the  risk." 


At  Unisys,  a  network  outsourcing  engagement 
begins  with  needs  assessment.  Then  implementa¬ 
tion  and  equipment  costs  are  built  into  the  cost  of 
the  commitment.  Clients  are  then  connected  to 
operations  centers  scattered  across  the  globe. 

Beyond  outsourcing,  many  IS  leaders  are  now 
opting  for  a  new  risk-transfer  strategy:  network 
security  insurance.  “If  you  can’t  be  fully  protected, 
buy  insurance  that’ll  cover  incidences  such  as  a 
hacking  attack,”  says  Misra.  For  example,  Unisys 
partners  with  insurance  firm  AIG  to  provide  sys¬ 
tem  assessments  that  will  drive  the  underwriting 
process — how  much  insurance  is  needed  and  its 
cost,  for  example. 

Although  network  security  is,  in  the  end,  all 
about  risk  mitigation,  that  doesn’t  mean  the 
responsibility  must  fully  reside  on  the  CIO’s  or 
CSO’s  plate.  “You  mitigate  risk  as  much  as  you 
can,  and  then  you  transfer  the  risk,”  says  Misra.  ■ 

Are  you  thinking  about  outsourcing  network  securi¬ 
ty  at  your  organization?  Have  you  insured  your  secu¬ 
rity?  Share  your  story  with  Secure  Connections  at 

ZeroGapPlanning@unisys.com 


For  more  information,  please  visit  our  website  @ 
www.unisys.com/security  or  call  800-874-8647, 
x785  (outside  the  US  +1  585-742-6865,  x785) 

©  2003  Unisys  Corporation 
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The  Best  Place  to 
Be  a  CIO  or  to  See 
a  CIO  is  at  a  CIO 

Magazine  event. 

— B.  Lee  Jones,  CIO, 

DMC  Stratex  Networks 


CIO  Magazine’s  Executive  Programs 
are  the  place  for  CIOs  to  learn  from 
industry  experts  and  from  one  another. 
We  bring  together  the  best  and  the 
brightest  to  keep  you  informed, 
stimulate  your  thinking,  and  sanity- 
check  yourself  against  your  peers. 

We  limit  attendance  to  qualified, 
senior  IT  executives  from  business, 
government  and  leading  not-for-profit 
organizations.  Join  us  at  one  of  our 
events  in  2004. 

Call  us  at  800.366.0246  or  visit 
www.cio.com/conferences 


Upcoming  Events! 

February  8  - 10,  2004 

Enterprise  Value  Retreat 
&  Awards  Ceremony 

Trump  International  Sonesta  Beach  Resort 
Sunny  Isles  Beach,  Florida 

April  18-20,  2004 

CIO  Perspectives 

La  Costa  Resort  &  Spa 
Carlsbad,  California 


August  22-24,  2004 

CIO  100  Symposium® 
&  Awards  Ceremony 

Hotel  del  Coronado 
Coronado,  California 


The  Resource  for 
Information  Executives 
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The  Problem 
of  the  Ego 

EDUCATION  There  is  an  economic  principle 
called  the  Problem  of  the  Commons.  It  suggests  that 
societal  problems  can  be  fixed  by  everyone  doing 
their  part.  But  how  often  does  that  happen? 

In  the  security  world,  a  corollary  to  this  might  be 
called  the  Problem  of  the  Ego:  Security  is 
everyone  else’s  problem,  but  it’s  certainly 
not  mine.  A  recent  study  by  the  Infor¬ 
mation  Technology  Association  of 
America  and  Brainbench  suggests 
that  the  Problem  of  the  Ego  is  a  real 
phenomenon  when  it  comes  to  infor¬ 
mation  security. 

Almost  800 
“knowledge  work¬ 
ers”  were  polled 
about  their  security 


practices.  The  survey 
shows  that  most 
workers  gave  them¬ 
selves  high  grades 
when  it  comes  to 
secure  practices,  but  gave 
colleagues  largely  failing  grades. 
About  half  also  said  their  compa¬ 
nies  are  generally  doing  a  poor  job 
with  security  and  are  not  provid¬ 
ing  employees  with  adequate 
information. 

What  can  a  CSO  do  to  combat 
this  ego  problem?  Very  little.  But 
even  those  respondents  with  an 
ego  admitted  that  they  need  more 
training  and  education.  Less  than 
half  of  those  responding  to  the 
survey  felt  that  they  have  received 
adequate  on-the-job  security 
education. 

So  here’s  your  chance.  Freud  is 
unavailable,  so  chances  are  you’ll 
never  be  able  to  curb  the  problem 
of  the  ego  that  plagues  the  masses. 
But  you  might  have  success  con¬ 
trolling  it  if  you  employ  the  old 
standbys  of  awareness  and  educa¬ 
tion.  -Scott  Berinato 


INVESTIGATORS  WANTED 


CERTIFICATION  The  American  Society 
for  Industrial  Security,  or  ASIS  International, 
is  on  a  certifying  tear.  ASIS  announced  the 
Professional  Certified  Investigator  (PCI)  certi¬ 
fication,  designed  for  those  who  conduct 
investigations  on  behalf  of  clients.  PCI  joins 
other  ASIS-sponsored  professional  certifica¬ 
tions  such  as  the  Certified  Protection  Profes¬ 
sional  (CPP)  program  for  security  managers 
and  a  new  Physical  Security  Professional 
(PSP)  certification. 

The  PCI  designation  is  part  of  an  ASIS 
effort  to  bring  order  to  the  crowded  field  of 
security  professionals.  That  job  is  especially 
important  given  the  increasing  demands 
being  put  on  security  professionals  and  the 
growing  interest  in  the  field,  says  Greg 
Sanders,  promotions  chairman  on  the  ASIS- 
affiliated  Professional  Certification  Board. 

“Everyone  claims  to  be  a  security  expert,” 
Sanders  says.  “So  it’s  necessary  for  us  to  vet 
certifications  that  pop  up  in  the  security 
industry."  ASIS  verifies  that  security  profes¬ 
sionals  applying  for  the  PCI  certification  have 


a  minimum  of  nine  years  of  investigations 
experience  or  seven  years  of  investigations 
experience  with  a  bachelor’s  degree.  PCI 
applicants  must  also  have  at  least  three  years 
of  case  management  experience. 

In  addition,  applicants  must  pass  an  exam¬ 
ination  with  questions  on  topics  such  as 
managing  caseloads,  collecting  evidence, 
handling  investigative  tools  and  giving  testi¬ 
mony.  The  new  certification  should  be  helpful 
to  ex-law  enforcement  and  government  per¬ 
sonnel  who  have  experience  with  managing 
caseloads,  collecting  evidence  and  testimony, 
and  who  want  to  work  in  the  private  sector. 

Rather  than  apologizing  for  the  addition  of 
yet  another  acronym  to  the  security  lexicon, 
Sanders  notes  that  the  new  letters  are  a 
byproduct  of  the  increasing  reliance  on 
experts  of  all  kinds  to  provide  specialized 
services. 

The  first  PCI  examination  will  be  used  to 
benchmark  performance.  Additional  informa¬ 
tion  can  be  found  on  the  ASIS  website  at 
www.asisonline.org.  -Paul  Roberts 
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Helping  your  business  grow 

is  the  best  way  we  can  protect  it. 

It's  not  a  subject  most  security  companies  address.  But  ADT  takes  the  growth  of 
your  business  very  seriously.  Which  is  why  we  work  hard  to  understand  your 
business  situation.  Because  only  then  can  we  provide  integrated  system  solutions 
that  can  help  protect  your  company,  while  also  securing  its  growth.  From  the  latest 
in  remote  video  to  next-generation  access  control,  you  may  find  that  the  aspect 
of  your  business  we're  best  equipped  to  secure  is  its  future.  Learn  more  at 
www.ADT.com.  Or  call  us  at  1-877-258-6424  and  make  an  appointment  with 
one  of  our  representatives.  ADT.  Always  There. 
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Last  year,  we  created  a  disaster 
recovery  site  in  New  Jersey.  It's 
basically  a  microcosm  of  our  sys¬ 
tem  offsite.  Our  postmortem  of 
the  blackout  taught  me  that  had  it 
happened  in  the  middle  of  the 
night,  things  wouldn’t  have  gone 
as  smoothly.  There  was  a  core 
group  of  key  personnel  who  knew 
what  to  do.  But  had  this  happened 
at  3  a.m.,  things  might  have  been 
different.  We  don't  have  a  road 
map  of  a  disaster  recovery  plan 
that  someone  could  pick  up  and 
execute.  I  now  know  that  we  need 
to  create  one. 


What  about  the  people  plan? 

One  of  the  themes  that  came  back 
from  employees  was  that  commu¬ 
nication  was  our  biggest  problem. 
We  knew  there  were  certain  peo¬ 
ple  we  needed  to  contact,  but  we 
didn’t  have  a  phone  chain  in 
place.  We’re  looking  into  that. 
Without  that,  we  left  a  lot  of  peo¬ 
ple  literally  and  figuratively  in  the 
dark.  Another  thing  that  came  up 
was  the  comfort  factor.  We  have 
refrigerators  with  water  and 
snacks.  But  what  if  this  happened 
in  the  middle  of  January?  We’d 
need  real  food  and  blankets. 


After  the  blackout,  you  solicited 
feedback  from  the  entire  corpo¬ 
rate  staff  as  to  what  could  have 
been  done  better.  Why? 

From  an  IT  perspective,  the  end 
user  often  has  more  useful  feed¬ 
back  than  a  technical  person.  I 
wanted  to  solicit  opinions  from 
people  who  wouldn’t  ordinarily 


volunteer  them.  The  most  useful 
suggestions  came  from  nonexec¬ 
utives— bright  people  who  care 
about  the  company  but  who  aren't 
often  involved  in  the  business 
decisions. 


What  were  some  of  their  com¬ 
ments? 

One  user  reminded  us  that  we 
should  make  sure  the  disaster 
recovery  plan  is  communicated  to 
everyone.  Others  suggested  that 
we  should  have  food  available.  It 
may  sound  crazy,  but  I  contacted 
an  organization  that  distributes 
MREs  [meals  ready  to  eat]  to  the 
military.  MREs  have  a  long  shelf 
life,  and  they  don’t  take  up  much 
space. 


What  did  you  do  with  the  feedback 
you  received? 

I  compiled  all  the  comments  that  I 
got  and  created  a  response  review 
task  list,  which  I  broke  into  sec¬ 
tions:  Things  that  we  can  just  go 
ahead  and  do,  things  to  buy  now, 
and  finally  a  list  for  things  that 
need  more  review  and  budget 
approval. 


How  should  CSOs  go  about  asking 
for  feedback  after  an  event? 

That  depends  on  the  culture  of  the 
company.  My  feeling  is  that  the 
way  we  did  it  was  the  way  to  go. 
Send  an  e-mail  out  to  everybody 
so  that  everyone  feels  like  their 
views  are  important.  You  want 
people  to  think  from  the  gut. 

-Kathleen  Carr 


DISASTER  RECOVERY  On 

Aug.  14,  2003,  there  was  a  black¬ 
out  in  NYC.  But  Craig  Sisler,  CIO 
of  Capital  Printing  Systems  in 

New  York’s  East  Side,  had  a  plan. 


CSO:  What  was  it  like  for  people 
when  the  blackout  occurred? 
Craig  Sisler:  Surreal  is  the  first 
word  that  comes  to  mind.  The  ini¬ 
tial  feeling  was  a  general  sense  of 
alarm.  The  power  went  down 
completely,  lights  went  out,  work¬ 
stations  went  dark.  Because  it 
was  daylight,  we  couldn't  tell  that 
it  was  a  citywide  blackout.  We 
thought  it  was  a  building  emer¬ 
gency  or  a  fire.  The  first  thing  I 


did  was  to  tell  everyone  to  remain 
calm.  I  went  into  the  server  room 
and  covered  the  servers  with  duct 
tape  and  plastic  in  case  the  sprin¬ 
klers  went  on. 


So  duct  tape  is  good  for  some¬ 
thing  after  all? 

It's  low-tech,  but  it  worked.  There 
were  no  signs  of  fire,  and  we  were 
able  to  do  an  orderly  shutdown. 
We  don’t  have  a  generator,  but  we 
have  enough  uninterruptible 
power  supply  to  shut  down  safely 
and  avoid  systems  crashing. 


Did  you  have  a  disaster  recovery 
plan  in  place? 


FROM  THE  DEPARTMENT  OF  BOLD  STATEMENTS 


“We  can  protect  this  country  without 
throwing  the  Constitution  out  the  window. 

-REP.  C.L.  OTTER  (R-IDAHO),  IN  REFERENCE  TO  THE  USA  PATRIOT  ACT 
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In  a  government  sponsored  trial  of 
biometric  security  systems, 

LG  IrisAccess 
outperformed  every 
other  system  tested 


proving  to  be  far  more  accurate.  Far 
faster.  And  over  1000  deployments 
confirm  it. 


LG  IrisAccess™  Iris  Recognition  Systems  provide  unparalleled 
security  for  people  and  property.  The  winner  in  head  to  head  testing. 
Proven  in  over  1000  installations,  worldwide.  LG  IrisAccess  makes 
world-class  security  surprisingly  affordable.  Visit  Igiris. com/report. 
And  see  the  difference  it  can  make  to  your  security. 


The  iris  identity  experts.5" 


LC.  IrisAccess  is  produced  under  a  technology  license  from  Iridian  Technologies.  Inc.  ©2003  LG  Electronics  l'S. 
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Patriot  Act  Roadshow 

Marketing,  rather  than  merits,  will  likely  determine  the  fate  of  President 
Bush’s  signature  legislation  By  Julie  Hanson 


NE  MONTH  AFTER  the 
worst  terrorist  attack  on  American  soil,  the 
Department  of  Justice  garnered  enough  sup¬ 
port  to  pass  the  USA  Patriot  Act.  But  with  the 
passage  of  time,  civil  liberties  groups  have 
become  increasingly  shrill  in  their  opposition 
to  this  law  that  gives  the  government  and  law 
enforcement  broad  monitoring  abilities. 

Their  criticisms  have  attracted  the  attention 
of  legislators  and  the  media.  In 
response,  the  DoJ  has  started 
its  own  marketing  campaign  to 
respond  to  accusations  of  the 
American  Civil  Liberties  Union 
(ACLU)  and  others.  The  mar¬ 
keting  of  the  act,  and  not  its 
merits,  may  determine  its  fate. 

The  two  major  crutches  of 
the  government’s  Patriot  Act 
promotional  campaign  are  a 
website,  Lifeandliberty.gov, 
and  speeches  by  Attorney 
General  John  Ashcroft  to  law 
enforcement  officials  around  the  country. 

But  if  this  campaign  is  designed  to  sway  pop¬ 
ular  sentiment,  it  may  be  falling  short. 

The  problem  with  the  DoJ’s  strategy  stems 
from  its  inability  to  communicate  its  security 
platform  to  the  general  public,  says  Charles 
Lamb,  author  and  professor  of  marketing  at 
the  M.J.  Neeley  School  of  Business  at  Texas 
Christian  University.  Giving  speeches  to  law 
enforcement  officials  is  preaching  to  the 
choir.  The  TV  cameras  are  outside  with  the 
privacy  advocates,  and  that’s  where  the  mes¬ 
sage  is  getting  to  the  masses,  says  Lamb. 

According  to  Lamb,  consumers  are  more 
likely  to  hear  a  commentary  from  an  ACLU 
member  on  public  radio  than  to  happen  upon 
Lifeandliberty.gov.  Until  the  DoJ  realizes  that 
it  needs  to  spend  more  time  explaining  why 
this  law  is  necessary,  privacy  advocates  will 


continue  to  sway  hearts  and  minds. 

Eva  Neumann,  president  of  ENC  Market¬ 
ing  &  Communications,  which  often  works 
with  the  government,  also  sees  flaws  in  the 
DoJ’s  marketing  campaign.  When  Neumann 
searched  for  “Patriot  Act”  on  the  Internet,  up 
popped  civil  liberties  sites  and  products— 
nothing  from  the  DoJ.  Even  the  title,  Life- 
andliberty.gov,  appears  to  have  little  to  do 
with  the  Patriot  Act.  The 
department  claims  it  chose  the 
title  because  the  act  is  designed 
to  “preserve  the  lives  and  liber¬ 
ties  of  Americans,”  and  the 
website,  which  has  had  approx¬ 
imately  50,000  visitors,  reflects 
that  cause. 

DoJ  spokesman  Mark 
Corallo  says  security  concerns 
about  the  Patriot  Act  have  been 
addressed  with  town  hall  meet¬ 
ings  across  the  country.  He 
argues  that  the  only  reason 
Ashcroft  is  talking  to  law  enforcement  is  to 
counter  untruths  about  the  Patriot  Act.  A  Fox 
News/Opinion  Dynamics  statistic  in  July 
found  that  91  percent  of  voters  don’t  think  the 
Patriot  Act  has  affected  their  civil  liberties. 
Contrast  that  with  a  CBS  News  poll  two 
months  earlier  where  52  percent  of  Americans 
were  either  “very  concerned”  or  “somewhat 
concerned”  about  losing  their  civil  liberties. 

Whichever  side  you  choose  to  believe  is  a 
matter  of  perception.  But  that’s  why  the  battle 
over  the  Patriot  Act  won’t  be  won  in  the  halls 
of  Congress.  It  will  be  won  on  the  picket  lines, 
on  the  websites  and  on  the  nightly  news.  ■ 

News  from  Washington 

To  read  more  about  what's  happening  in  Washington,  D.C., 
visit  our  website  at  www.csoonline.com/wonk. 


Secretary  of  Homeland  Security  Tom 
Ridge  appointed  Amit  Yoran  to  serve 
as  the  director  of  the  National  Cyber 
Security  Division  (NCSD)  of  the 
Information  Analysis  and  Infrastructure 
Protection  office.  Yoran  was  most 
recently  the  vice  president  for  managed 
security  services  at  Symantec. 

The  DHS  also  announced  the  creation 
of  the  U.S.  Computer  Emergency 
Response  Team,  a  partnership 
between  the  NCSD  and  Carnegie  Mellon. 
US-CERT  will  coordinate  international 
and  national  efforts  to  prevent,  protect 
and  respond  to  cyberattacks.  This 
organization  will  eventually  include 
members  from  the  private-sector 
security  vendor  market. 

The  General  Accounting  Office 

documented  how  easy  it  is  to  acquire 
a  fraudulent  driver’s  license  because 
of  the  Social  Security  Administration’s 
limitations  to  verify  information. 
According  to  the  GAO,  in  one  month, 
one  state  issued  driver’s  licenses  and 
identification  cards  to  41  individuals 
who  used  the  names,  Social  Security 
numbers  and  dates  of  birth  of  persons 
listed  as  deceased.  Undercover  GAO 
investigators  used  fictitious  licenses 
to  purchase  firearms,  avoid  airport 
screeners  and  enter  federal  buildings. 
The  GAO  recommends  that  Congress 
create  a  national  data-sharing  system 
for  driver  records. 

President  Bush  approved  $37.6  billion 
in  FY04  for  domestic  security  programs 
and  funding  for  the  Department  of 
Homeland  Security.  The  DHS’s  first 
appropriations  bill  includes  $30.4  billion 
approved  by  Congress  and  $7.2  billion 
in  fees.  The  new  budget  allocates  $4  bil¬ 
lion  for  first  responders,  $348  million 
for  port  security  and  border  security, 
and  $4.6  billion  for  the  T ransportation 
Security  Administration. 
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5  PRIMARY 


You’ve  dedicated  tremendous  time  and  resources  to  safeguarding  your  company’s  mission-critical 
systems.  But  if  it  isn’t  combined  with  a  robust,  redundant  infrastructure,  the  latest  technologies, 
professional  expertise,  and  proven  processes;  you  won’t  achieve  the  levels  of  availability  and  uptime 
today’s  marketplace  demands.  That’s  why  you  need  a  SunGard  Information  Availability  strategy. 
Working  with  SunGard,  we’ll  customize  a  total  solution  that  helps  ensure  your  employees  and 
customers  have  uninterrupted  access  to  the  critical  systems  and  data  that  run  your  business,  24/7. 
Make  sure  all  your  systems  are  “go”.  To  see  how  cost  effective  an  Information  Availability  strategy 
can  be,  see  our  white  paper  prepared  by  I  DC  at:  www.availability.sungard.com 


MANAGED  SERVICES  •  PROFESSIONAL  SERVICES  •  BUSINESS  CONTINUITY 


but  if  they  can’t  be  used  to  run  your  business, 
they  might  as  well  be  here. 


Introducing  Information  Availability. 


Availability  Services 

Keeping  People  and 
information  Connected 


Security  Counsel 


A  Secure 
Infrastructure 


requisite  backgrounds  to  review  the  organization’s 
business,  and  determine  which  systems  manage  the 
business  operations  and  which  manage  the  financial 
controls.  Then  look  closely  at  the  level  of  controls  in 
those  key  systems  from  the  perspective  of  reliance. 
Access  controls,  authorization,  auditability  and  avail¬ 
ability  (disaster  recovery)  are  all  key  elements  that  must 
be  addressed  to  ensure  that  the  systems  will  provide 
accurate  and  timely  information  for  management’s  use. 


Bill  Boni,  CISO  of  Motorola,  answers  readers’  questions  on 
information  security 


Q:  How  do  you  integrate  your  privacy  requirements  into  your  security 
infrastructure? 

A:  We  revised  our  information  protection  lifecycle  documentation  and  classifi¬ 
cation  frameworks  to  address  data  protection  and  privacy  (DP/P)  requirements 
for  both  new  and  legacy  systems.  Our  approach  is  to  focus  on  process  and  tech¬ 
nology  mechanisms  that  wall  prevent  and  detect  risks  to  DP/P  content  through 
appropriate  application  of  vulnerability 
detection,  access  controls  and  encryption 
tools. 

Q:  I’m  building  the  security  department  for 
my  organization.  Do  you  have  any  prefer¬ 
ences  for  who  reports  to  whom? 

A:  There  are  two  primary  missions  that 
must  be  accomplished— policy  creation 
and  policy  execution.  Many  organiza¬ 
tions  have  split  these  functions,  but  I 
think  that  is  often  less  effective  than  a 
hybrid  that  combines  the  entire  security 
organization  into  one  team. 

My  personal  preference  is  to  have  the 
protection  team  matrix  between  the 
corporate  center  and  the  business  and 
operational  roles.  We  operate  with  the 
business  unit  security  manager’s  solid 
line  reporting  to  the  enterprise  CISO 
and  a  dotted  line  to  the  business  CIOs.  This  allows  the  security  staff  to  be  verti¬ 
cally  aligned  to  the  mission  and  priorities  of  their  units  while  providing  consis¬ 
tent  attention  to  policy  compliance.  It  also  allows  a  critical  mass  of  security 
staff  to  be  managed  as  a  job  family— providing  career  development,  rotational 
assignments  and  a  sense  of  belonging  to  a  group  of  peers. 


Q:  What  are  your  thoughts  on  the  pros  and  cons  of  intru¬ 
sion  prevention  from  a  host  and  network  perspective? 

A:  The  Defense  in  Depth  paradigm  remains  as  desir¬ 
able  as  ever.  To  the  extent  that  solutions  are  available 
that  improve  the  capability  to  protect  by  providing 
complementary  protection  at  both  the  network  and 
host  levels,  we’ll  have  two  chances  to  stop  inbound 
attacks.  Typically,  network-based  defenses  tend  to  be 
more  cost  effective  for  large  organizations  with  tens  of 
thousands  of  hosts  and  applications  to  protect. 

Q:  With  Wi-Fi  and  GSM  users 
increasing  greatly,  is  there  much 
that  you  have  seen  to  address  or 
safeguard  the  devices  and  the 
intellectual  property? 

A:  This  is  a  key  issue,  as  ubiqui¬ 
tous  portable  devices  provide 
both  remote  access  to  proprietary 
contents  and  offline  local  storage 
of  increasing  volumes  of  such 
contents.  We  are  familiar  with 
several  promising  product  solu¬ 
tions.  One  provides  persistent 
protection  to  sensitive  content, 
and  another  ensures  devices 
comply  with  enterprise  policies 
concerning  passwords  and  con¬ 
tent  encryption  and  other  key 
elements.  To  date,  solutions  have 
been  expensive  or  limited  to  the  platforms  supported.  I 
recommend  any  organizations  with  sensitive  propri¬ 
etary  or  regulated  contents  follow  this  area  closely.  The 
risks  to  key  content  will  increase  as  portable  and  hand¬ 
held  devices  equal  the  processing  and  storage  capacity 
of  recent  laptops.  ■ 


Q:  Based  on  Sarbanes-Oxley,  what  are  we  legally  obligated  to  do  from  an  IT 
perspective?  What  kind  of  controls  should  we  have  to  ensure  compliance? 

A:  I’m  always  leery  when  anyone  asks  a  nonlawyer  for  legal  advice.  (Let  me  be 
clear  that  my  answer  is  not  a  substitute  for  advice  from  a  knowledgeable  attor¬ 
ney.)  Since  this  is  an  example  of  an  issue  with  multiple  aspects  to  consider,  it’s 
probably  good  to  approach  it  from  a  task-force  perspective  with  representatives 
from  legal,  IT,  information  protection  and  audit.  This  team  should  have  the 


Ask  Your  Peers 

Have  a  security  topic  to  suggest  or  an  expert  you'd  like  to  hear  from?  Send 
your  thoughts  to  Assistant  Managing  Editor  Kathleen  Carr  at  kcarr@cxo.com. 
Go  online  to  see  what  your  peers  are  discussing. 


www.csoonline.com/counsel 
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http://www.qualys.com/cso 


Qualys 


Get  a  free  security  audit  in  minul 

www.qualys.com/cso 

or  call  1  (800)  745  4355. 

■  MEASURE  the  overall  security  of  your  network 

■  ENFORCE  and  analyze  your  security  policies 

■  COMPLY  with  newly  mandated  regulations 


; 


QualysGuard 

Technical  Report 

Summary  of  Vulnerabilities 


by  Status 

by  Severity 

Status 

Vulnerabilities 

Severity  Vulne 

New 

1 

S 

Active 

19S 

4 

Re-Opened 

0 

3 

Fixed 

5 

Lj _ ] 

Changed 

6 

Vulnerabilities  G  S 


fiSS&t. ;  MS-SQL  8  0  UDP  Slammer  Worm  Buffer  Ove 

010:  19070  Category:  Database  CVE  Hk  CAN- 2002-0649 

DESCRIPTION: 

Your  MS-SQL  80  server  is  NOT  patched  for  the  slammer  worm  buffer 
This  vuJnerabWy  aflows  for  the  execution  of  arbitrary  code  on  the  SQL 
compromises  a  machine,  it  wilt  try  to  propagate  itself  The  worm  wi  ere 
on  port  1 434Aidp  If  the  packet  is  sent  to  a  vulnerable  machine,  this  mac 
scanning  activity  for  new  hosts,  the  current  variant  of  this  worm  has  n 

Activity  of  this  worm  Is  readfly  identifiable  on  a  network  by  the  ptesenc 
seemingly  random  IP  addresses  and  destined  for  port  1 434/bdp 
CONSEQUENCES: 

Compromise  by  the  worm  confirms  that  a  system  is  vulnerable  to  akowr 
Subsequently,  it's  possible  lor  tire  attacker  to  leverage  a  local  privilege 
system 

The  high  volume  of  1 434Aidp  traffic  generated  by  hosts  Infected  with  tl 
«selt  lead  to  performance  issues  (including  possible  demal-of-aervice  c 
networks  with  compromised  hosts 

SOLUTION: 

Microsoft  has  released  patches  to  address  this  vulnerability  Check  M*£ 


Microsoft  IIS  4  06  0  File  Permission  Canonic 
Microsoft  IIS  4.06.0  Extended  UNICODE  Rer 
Microsoft  IIS  UTF  Directory  Traversal  and  Rer 
Microsoft  Windows  2000  IIS  WebDAV  Buffer 
Microsoft  Windows  Media  Services  NSIISIog, 
SSL  Server  Has  SSLv2  Enabled  Vulnerability 
Remote  Windows  User  Ust  Disclosure  Vulne 
Microsoft  IIS  Malformed  HTR  Request  Buffer  ( 


Th«  coi(«ctn*jf  and  completeness  of  your  vylneribility  reports  is  very  important  to  us.  If  you  believe  oui  system  made  an  «m«i  in  youi  report,  please  & 
and  we  will  contact  you  Immediately  for  clarification 


Qualys  is  the  market  leading  Web  Service  Provider  for  online  security. 

More  than  1 ,000  enterprise  customers  rely  on  Qualys,  including  Apple, 
PeopleSoft,  R.R.  Donnelley,  the  Thomson  Corporation,  and  Tower  Records 

c  2003  Qualys,  Inc.  All  rights  reserved. 


The  CSO  Perspectives  Conference 


April  18 -20, 2004 
La  Costa  Resort  &  Spa 
Carlsbad,  California 


As  an  executive  responsible  for  securing  and  protecting  your  organization’s  assets  and  infrastructure, 
you  must  constantly  weigh  the  needs  of  the  business  against  the  potential  security  risks  likely  to  result 
from  each  endeavor  or  initiative.  How  much  risk— and  in  what  specific  areas— is  acceptable  in  your  cor¬ 
porate  culture?  What  are  your  potential  legal  liabilities?  How  do  you  comply  with  the  shifting  regulatory 
landscape?  How  do  you  agree  upon,  implement  and  continuously  communicate  the  need  for  security 
throughout  the  organization? 


The  CSO  Perspectives  Conference 

will  provide  you  with  an  educational  and 
networking  opportunity  designed  for 
senior  security  executives  whose  concern 
is  the  often  delicate  balance  of  risk  and 
security:  chief  security  officers  (CSOs), 
chief  information  security  officers  (CISOs) 
and  chief  information  officers  (CIOs). 

You’ll  gain  firsthand  knowledge  from  your 
peers— professionals  who  have  grappled 
with  the  same  issues  and  challenges 
you're  facing,  as  well  as  from  experts  in 
law,  government  and  industry. 


We’ll  focus  on: 

>  Lessons  Learned  in  a  Crisis 

>  Legal  Liability  Issues 

>  Protecting  Intellectual  Property 

>  The  Psychology  of  Security 

>  Keeping  Security  a  Top  Priority 

>  Ethics— What  are  the  Boundaries? 

>  The  Impact  of  Homeland  Security 
and  the  Patriot  Act 

>  Business  Continuity/Disaster 
Recovery 

>  The  Security/IT  Relationship 


Join  us.  Call  800.366.0246  or  visit 
www.  csoperspecti  ves.  com 


CSO 

The  Resource  for 
Security  Executives 


Flashpoint 


Creeping 

Determinism 

Security  departments  that  rely  too  heavily  on  their 
outsourcer  to  troubleshoot  problems  could  be  heading 
for  disaster  By  David  H.  Holtzman 

“NASA  structure  changed  as  roles  and  responsibilities  were  transferred  to 
contractors,  which  increased  the  dependence  on  the  private  sector  for  safety 
functions  and  risk  assessment  while  simultaneously  reducing  the  in-house 
capability  to  spot  safety  issues.” 

-Columbia  Accident  Investigation  Board  report,  August  2003 

T’S  BEEN  ALMOST  A  YEAR  since  the  Columbia  space  shuttle  acci¬ 
dent—' which  brought  the  crash  rate  to  40  percent  for  this  particular  fleet.  The 
investigation  panel’s  report  blamed  NASA’s  contractor-dependent,  decen¬ 
tralized  organizational  culture  as  much  as  any  specific  manufacturing  defect. 
Several  newspapers  used  the  psychological  term  creeping  determinism  to 
describe  this  fatalistic,  laissez-faire  mentality  that  had  permeated  the  agency— 
the  growing  sense  of  inevitability,  especially  in  hindsight,  that  an  accident  of 
this  kind  would  happen. 

Security  specialists,  as  well  as  scientists,  can  fall  victim  to  this  effect. 
Outsourcing  critical  and  messy  functions  like  security  is  seductive,  the 
downside  being  less  control  and  slightly  more  cost.  But  as  the  Columbia 
example  illustrates,  the  cumulative  damage  from  this  detachment  can  be 
devastating.  Delegating  critical  functions  breaks  the  feedback  loop,  which  can 
bring  potentially  serious  problems  to  light.  An  outsider  might  tolerate  a  nagging 
issue  because  his  attention  is  scattered  among  various  projects.  An  insider  usu¬ 
ally  won’t.  Each  tolerated  error  accumulates  one  upon  the  next  causing  a  buildup 
of  unresolved  snafus  that  can  eventually  lead  to  a  massive  failure. 

"It  is  our  view  that  complex  systems  almost  always  fail  in  complex  ways.” 

-Columbia  report 

Security  is  a  major  business  system,  and  it  reaches  into  every  department  and 
function.  The  combined  complexity  quickly  becomes  cosmic  in  proportions.  An  out¬ 
sourcer’s  methodology  is  based  on  previously  seen  problems,  and  it  is  effective  against 
situations  that  progress  in  a  slow,  linear  fashion.  But  this  approach  fails  when  faced 
with  problems  that  rapidly  expand  in  scope  and  complexity.  In-house  security,  on 
the  other  hand,  can  stop  these  situations  from  spiraling  out  of  control  by  triaging  trou¬ 
bles  at  first  sighting,  inhibiting  the  runaway  tolerance  of  risk. 

“Changes  in  organizational  structure  should  be  made  only  with  careful  considera¬ 
tion  of  their  effect  on  the  system  and  their  possible  unintended  consequences.” 

-Columbia  report 

For  exposed  security  departments  seeking  additional  cover,  security'  contracting 


seems  more  panacea  than  placebo— turning  a  weakness 
into  a  strength.  Moreover,  it’s  easy  to  find  someone  to  hire. 
Since  the  terrorist  attacks  of  2001,  security  consultancies 
have  been  springing  up  like  toadstools  after  rain.  But  too 
often,  companies  are  picked  without  consideration  to 
their  long-term  ability  to  serve  the  contract.  Any  company 
that  is  considering  completely  outsourcing  its  security 
would  do  well  to  give  that  decision  long  and  careful 
thought.  If  security  is  a  business-critical  function  within 
the  company,  it  should  be  internally  managed.  Hiring 
an  extra  set  of  hands  or  feet  is  fine,  but  the  brain,  eyes  and 
ears  should  stay  attached  to  the  body. 


“Changes  that  make  the  organization  more  complex  may 
create  new  ways  that  it  can  fail.”  -Columbia  report 

Using  contractors  is  not  inherently  stupid,  but  it  must  be 
managed  and  recognized  for  what  it  brings  to  the  organ¬ 
ization,  both  good  and  bad.  On  the  plus  side,  it  is  useful 
to  have  experts  available  who  are  paid  only  when  used. 
However,  security  is  a  management  function,  not  a  spe¬ 
cialty.  The  extra  complexity  that  comes  with  detaching  it 
from  the  rest  of  the  company  should  not  be  taken  lightly, 
any  more  than  a  mature  organization  would  consider 
renting  a  CFO. 

The  failure  of  process  is  always  a  tragedy,  distinguished 
in  severity  and  scope  by  the  significance  of  the  mission. 
Lessons  learned  in  one  case  apply  to  all,  even  if  we  aren’t 
rocket  scientists.  ■ 

David  H.  Holtzman,  former  CTO  of  Network  Solutions,  also  worked  as  a 
cryptographic  analyst  with  the  U.S.  Navy  and  as  an  intelligence  analyst  at 
DEFSMAC.  He  can  be  reached  at  david 11  globalpov.com. 
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ILLUSTRATION  BY  ALAIN  PILON 


The  Hunchback  of  "De^-  b\o\Ae&  7 


Location  matters.  I _ 

Because  without  it,  you  don't  have  the  whole  story. 

Is  a  web  visitor  in  Notre  Dame  or  not?  Are  they  someone  you  want  to  grant  access  to  or 
will  they  hack  into  your  network  and  hold  you  (and  your  company)  hostage?  You  can 
ask  for  location  verification,  but  how  do  you  know  the  truth? 

With  Quova's  GeoPoint  geolocation  technology,  companies  can  determine  the  real-world 
location  of  a  website  visitor  -  all  the  way  down  to  their  city.  And  that  can  help  you  avoid 
doing  business  with  the  wrong  people.  Using  Quova's  unique  closed-loop  methodology, 
GeoPoint  lets  you  authenticate  users,  manage  access,  configure  intrusion  detection  to 
block  traffic  from  high  risk  IP  domains  and  deny  potentially  fraudulent  transactions. 
Giving  more  proxy  information  than  any  other  provider,  GeoPoint  even  offers  network 
connection  and  performance  data  with  pinpoint  accuracy. 


With  Quova's  fully  integrated  enterprise  solutions,  companies  have  unparalleled 
confidence  in  their  network  security  plans  and  fraud  prevention  activities. 


Get  the  whole  story.  Call  Quova  today: 

1-877-737-8682 


www.quova.com 
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:iO  ENTERPRISE 
VALUE  RETREAT 

&  AWARDS  CEREMONY^ 


FEBRUARY  8 -10,  2004 

TRUMP  INTERNATIONAL  SONESTA  BEACH  RESORT 
SUNNY  ISLES  BEACH,  FLORIDA 


IT’S  ALL  ABOUT  IT.  VALUE 


This  is  the  event  for  CIOs  who  are  concerned  with 
articulating,  delivering  and  demonstrating  the  value  IT 
brings  to  the  enterprise.  While  some  pundits  say  IT  is  only  a 
commodity,  we  believe  IT  continues  to  be  at  the  forefront  in 
increasingyour  competitive  advantage.  To  give  you  more 
ways  of  looking  at  IT  value,  we  incorporate  research  and  case 


studies  from  Peter  Weill’s  work  at  MIT  Sloan  School  of 
Management.  We  put  you  together  with  CIOs  who  are  the 
winners  of  this  year’s  CIO  Enterprise  Value  Awards. 

And  we  give  you  the  opportunity  to  learn  from  each  other. 


Call  800.355.0246  or  visit  lis  at  www.cio.com/conferences 


“The  discussion  and 
information  exchange 
with  peers  is  invalu¬ 
able.” 

Robert  Odenheimer, 
SVP,  IT  Operations, 
Magellan  Behavioral  Health 


“The  content  presented 
by  Peter  Weill  was  an 
excellent  framework  to 
discuss  current  chal¬ 
lenges  with  a  very 
interesting 
peer  group.” 

Chris  Acton,  Global  IS, 
RioTinto  Borax 


“Lessons  learned  are 
not  the  usual  aca¬ 
demic  fare,  but  the 
subtleties  of  the  cul¬ 
tural  and  technological 
minefields.” 

Evelyn  Lockett  Woods, 
EVP/CIO,  Joint  Commission  on 
Accreditation  of  Healthcare 
Organizations 


Call 

800.355.0246 
or  visit  us  at  • 
www.cio.com/ 
conferences 


Retreat  Moderator 

Peter  Weill 

Director,  Center  for 
Information  Systems 
Research,  MIT  Sloan 
School  of  Management 


The  Case 
Studies 

Peter  Weill  once  again  presents 
new  findings  and  case  studies 
from  work  with  hundreds  of 
Global  1000  companies,  focus¬ 
ing  on  three  key  areas:  IT  infra¬ 
structure  for  strategic  agility, 
effective  business  models,  and 
IT  governance. 

>  IT  Infrastructure  for 
Strategic  Agility 

Strategic  agility— the  ability  to 
implement  new  business  initia¬ 
tives  quickly  and  cost  effectively 
—will  be  an  increasingly  impor¬ 
tant  capability  for  enterprises  in 
2004.  IT  infrastructure  is  one  of 
the  critical  platforms  required 
for  strategic  agility.  Investing  in 
the  right  infrastructure  at  the 
right  time  enables  rapid  imple¬ 
mentation  of  future  electroni¬ 
cally  based  business  initiatives 
and  cost  reduction  of  current 
business  processes— i.e.,  more 
business  value.  This  session 
presents  a  framework  for  senior 
executives  to  view  IT  infrastruc¬ 
ture  in  business  terms  and  to 
lead  in  making  investment  deci¬ 
sions.  Weill  illustrates  how  firms 
successfully  implement  qnd 
exploit  their  IT  infrastructures 
with  several  case  studies. 

>  Do  Some  Business 
Models  Perform  Better 
than  Others? 

In  an  increasingly  connected 
business  world  the  business 


model— what  a  firm 
does  and  how  they 
make  money— is  a 
critical  strategic 
decision.  Under¬ 
standing  what  busi¬ 
ness  models  are 
used,  how  they  are 
combined,  and  which  are  most 
successful  is  important  for  every 
senior  manager.  In  addition, 
firms  implementing  each  model 
use  IT  differently— resulting  in 
different  IT  portfolios.  This  pres¬ 
entation  provides  a  new  and 
powerful  way  to  analyze  a  firm’s 
business  model  and  then  think 
about  the  IT  needs. 

>  IT  Governance  Workshop 

In  response  to  strong  interest  in 
last  year’s  session  on  IT  gover¬ 
nance,  Weill  leads  a  workshop 
on  how  top  performers  govern. 
He  presents  case  studies  and 
insights  from  MIT  CISR’s  study 
of  effective  IT  governance  in  256 
enterprises  in  23  countries.  A 
framework  is  presented  in  this 
workshop  to  analyze  and  com¬ 
municate  governance,  illus¬ 
trated  with  cases  studies  of  top 
performers. 

>  Monday’s  Case  Study 
Workgroups 

Monday  at  lunch  we  divide  into 
small  groups  to  investigate  the 
link  between  business  strategy 
and  IT  infrastructure  in  a  new 
case  study.  The  case  is  based  on 
aglobal  multi-business  unit  firm 
in  the  healthcare  industry  mov¬ 
ing  from  a  fully  decentralized 
approach  to  information  tech¬ 
nology  to  providing  some  firm¬ 
wide  IT  infrastructure.  The 
challenge  for  your  group  is  to 
advise  the  newly  appointed  CIO. 
Groups  will  report  back  with 
their  recommendations. 


The  Enterprise 
Value  Award 
Winners 

They’re  scrutinized  by  CIO  edi¬ 
tors,  Review  Board  members, 
and  our  judging  panel  of  top- 
notch  CIOs.  Meet  the  winners  of 
the  prestigious  CIO  Enterprise 
Value  Award  and  learn  how  they 
delivered  true  value. 

>  The  Value  Proposition 

Our  panel  of  CIO  Enterprise 
Value  Award  winners  talks  about 
the  ongoing  difficulty  inherent  in 
demonstrating  and  delivering  IT 
value.  How  do  you  convince  your 
CEOs,  CFOs  and  COOs— who 
may  think  IT  is  just  a  commodity, 
a  utility— that  its  intelligent 
application  and  deployment  can 
and  does  indeed  bring  strategic 
value  to  the  business. 

>  Monday  Night’s  Gala 
Awards  Ceremony  &  Dinner 

We’ll  announce  the  winner  of  the 
Grand  CIO  Enterprise  Value 
Award— and  honor  all  the  win¬ 
ners  in  the  industry  categories 
at  a  black-tie  reception,  awards 
ceremony  and  dinner.  It's  a 
great  time  to  celebrate  with  your 
CIO  peers. 

>  Conversations  with 
This  Year’s  Winners 

We  offer  breakout  sessions  with 
the  CIOs  of  this  year’s  winning 
organizations.  It’s  your  chance 
to  talk  at  a  more  intimate  level, 
discuss  their  particular  case  in 
more  detail  and  take  away  les¬ 
sons  you  can  apply,  to  your  own 
organization  back  home. 


The  Peer 
Networking 

CIOs  tell  us  it’s  as  important  to 
have  opportunities  to  meet  infor¬ 
mally  with  their  peers  as  it  is  to 
participate  in  the  Retreat  ses¬ 
sions.  We  give  you  more  oppor¬ 
tunities,  to  meet  and  learn  from 
more  of  your  peers  over  three 
days,  with  the  golf  tournament 
Sunday  morning,  informative 
chats  at  breakfast  and  lunch 
roundtables,  the  intensely  inter¬ 
active  case  study  workgroup  ses¬ 
sions,  and  relaxed  conversations 
during  the  daily  receptions.  And 
we’re  happy  to  hook  you  up  with 
other  attendees  or  corporate 
sponsors  you'd  like  to  meet. 


Sunday  Night  Special  Event 


Jimmy  Tingles 
Uncommon  Sense 


It's  a  scary,  unpredictable— and 
absurd— world  we  live  in.  Satirist, 


comedian  and  com¬ 
mentator  Jimmy 
Tingle  takes  us  on  a 
highly  personalized 
tour  of  the  absurdi¬ 
ties  of  modern  life. 
You’ve  got  to  laugh 
to  survive. 


This  year’s  Enterprise  Value  Retreat 
Awards  Ceremony  is  proudly 
underwritten  by 


<bmc 


Presented  by 


Tjhe  Resource 
for  Information 
Executives 


Focus  on  quality  instead 
of  speed,  says  Michael 
Bacon,  VP  and  corporate 
security  manager  at 
Wells  Fargo. 


AN  BE  MOTE.  HERE  ARE  SEVEN  TIP! 
'OR  DISCOVERING  HOW  TO  SQUEEZE 
EVERY  BIT  OUT  OF  YOURS. 

By  Daintry  Duffy 


EXCEPT  FOR  THE  BONE-CRUSHING  HITS  and  the  Chop 
blocks,  security  isn’t  all  that  different  from  professional  foot¬ 
ball.  Really.  Compare,  for  instance,  your  security  budget  with 
the  annual  salaries  of  professional  football  players.  You’ll  find 
that  both  are  based  on  tangible  and  intangible  valuations.  The 
salary  paid  to  an  NFL  player  is  based  largely  on  the  stats  of 
his  gridiron  performance— the  number  of  sacks,  rushing 
yards  or  touchdowns— and  it  will  determine  whether  he  can 
afford  to  buy  The  Hummer  or  will  have  to  cheap  out 
on  a  Land  Rover  Discovery.  But  there  are  other,  softer  IN  T 

3  How 

factors  reflected  within  all  those  zeros,  like  the  player’s  effic 
marquee  value,  the  number  of  kids  who  want  to  wear  ^ 

his  lersey,  and  his  leadership  on  and  off  the  field.  risk* 
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Cover  Story  |  Security  Spending 


PPG's  Regis  Becker 
says  it's  important 
not  to  be  too  defer¬ 
ential  to  the  chain 
of  command. 


Similarly,  the  security  budget  outlines  the 
basics  of  how  much  staff  the  CSO  can  afford, 
the  system  upgrades  that  he  can  make  and 
the  new  technologies  that  he  can  invest  in. 
But  it  also  takes  into  consideration  some 
squishier  facts  about  the  security  organiza¬ 
tion— its  perceived  value  within  the  corpora¬ 
tion  and  the  respect  accorded  to  the  CSO  and 
his  abilities. 

The  big  difference?  In  NFL  contract  dis¬ 
putes,  when  players  say  it’s  not  about  the 
money,  it’s  usually  about  the  money.  When 
they  say  that  it  is  about  the  money,  it’s  really 
about  respect.  But  for  CSOs  trying  to  eke  every 
penny  out  of  their  security  budgets,  it’s  about 
both. 

]~HHor  many  CSOs,  their  depart - 
■■  m  ments’  cost-center  status  is  not  just 
HI  an  accounting  designation,  it’s  a  state 
of  mind.  The  good  news  is  that  the  CSO  is  no 
longer  the  corporation’s  poor  relation.  Many 
say  that  their  budgets  have  increased— even  in 
some  cases  where  funding  for  their  business 
counterparts  remained  flat.  Research  findings 
confirm  those  anecdotal  reports.  In  a  world¬ 
wide  study  conducted  by  CIO  ( CSO’s  sister 
publication)  and  PricewaterhouseCoopers 
released  in  October  of  this  year  (see  “The  State 
of  IT  Security  2003,”  October),  approximately 
7,500  CEOs,  CFOs,  CIOs,  CSOs,  and  vice 
presidents  and  directors  of  IT  and  information 
security  were  polled  on  their  security  spend¬ 
ing  habits.  When  asked  to  compare  their  2003 
security  budgets  with  2002,  45  percent  of  the 
survey’s  respondents  indicated  that  their 
budgets  would  increase  a  little,  with  17  percent 
claiming  that  the  increase  would  be  signifi¬ 
cant.  Only  8  percent  of  respondents  said  that 
their  budgets  would  decrease. 

It  turns  out  that  increasing  funding  is  not 
just  a  wish  or  a  goal  for  the  CSO,  it’s  a  strate¬ 
gic  initiative.  A  full  30  percent  of  respondents 
reported  that  one  of  their  top  strategic  objec¬ 
tives  is  to  expand  that  budget  even  more. 
When  respondents  were  asked  what  factors 
presented  a  barrier  to  good  security  measures 
at  their  organizations,  a  limited  budget  far 
outweighed  any  other  response. 

But  the  reality  for  CSOs  is  that  no  matter 
the  size  of  the  security  budget,  it  never  seems 
adequate  when  weighed  against  the  growing 
risks  and  responsibilities  they  need  to  tackle. 


“Is  it  enough?”  asks  Greg  Avesian,  vice  presi¬ 
dent  of  enterprise  infrastructure  and  security 
for  Textron,  where  the  security  budget 
increased  this  year.  “It’s  never  enough.  I  have 
to  make  the  most  efficient  use  of  those  valu¬ 
able  dollars.” 

We  asked  CSOs  to  share  with  us  their 
strategies  for  making  the  most  of  their  secu¬ 
rity  budgets,  and  we  gleaned  their  advice  on 
the  best— and  worst— areas  to  make  cuts. 

IBe  the  Chief  Self-Esteem 
Officer  Think  of  it  as  taking  a  Stu¬ 
art  Smalley  moment.  Recalling  the 
Saturday  Night  Live  therapist  who  began 
each  skit  with  his  daily  affirmation,  CSOs  are 
good  enough,  smart  enough  and,  doggone  it, 
people  like  them.  So  have  the  confidence  in 
your  own  judgment,  and  push  back  for  fund¬ 
ing  when  it’s  necessary. 

To  many,  CSOs  are  the  guys  who  step  in  at 


the  last  minute  and  delay  business-critical 
projects  by  adding  expensive  controls  of  which 
only  they  can  see  the  value.  Many  suspect  that 
their  peers  have  internalized  those  percep¬ 
tions,  affecting  their  ability  to  push  through 
the  funding  for  necessary  initiatives. 

And  because  they  often  have  military  and 
law  enforcement  backgrounds,  CSOs  also  tend 
to  be  individuals  who  have  a  great  deal  of 
respect  for  authority,  says  Marene  Allison, 
director  of  global  security  for  Avaya.  “In  many 
situations,  the  security  person  is  used  to  being 
compliant,  and  I  sometimes  think  we  need  to 
learn  to  be  a  little  more  aggressive— to  toot  our 
own  horns  a  bit  more,”  she  says.  That  doesn’t 
mean  getting  in  the  face  of  every  executive 
who  disagrees  with  you.  “You  don’t  want  it 
known  that  the  security7  director  took  down 
some  executive  over  business  continuity 
planning,”  she  cautions,  but  CSOs  have  to  be 
more  forceful  about  pushing  back  on  impor- 
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tant  budget  issues  instead  of  taking  “no”  as  the 
last  word. 

Regis  Becker,  global  director  of  security 
and  compliance  for  PPG  Industries  and  for¬ 
mer  president  and  chairman  of  ASIS  Inter¬ 
national,  was  actually  reprimanded  early  in  his 
PPG  career  for  being  too  compliant.  “I  have  a 
law  enforcement  background,  and  I  was  told 
that  I  had  an  almost  unhealthy  respect  for 
hierarchy,”  he  says.  Becker’s  manager  at  that 
time  told  him  that  he  was  too  deferential  to 
the  chain  of  command  and  suggested  that  if  he 
had  a  funding  request  he  felt  was  critical,  he 
should  take  it  straight  to  the  CEO  and  dis¬ 
pense  with  the  often  fruitless  process  of 
bouncing  the  initiative  off  a  succession  of 
underlings. 

On  the  flip  side,  CSOs  as  a  group  can  also 
be  prone  to  overreaction.  Post-9/11,  some 
CSOs  took  advantage  of  the  loosened  secu¬ 
rity  purse-strings.  “A  lot  of  folks  don’t  take 
the  process  seriously  enough.  They’re  too 
quick  to  judge,”  says  Michael  Bacon,  vice  pres¬ 
ident  and  corporate  security  manager  at  Wells 
Fargo.  Bacon  notes  that  after  9/11,  his  team 
didn’t  run  straight  to  management  clamor¬ 
ing  for  more  funding;  instead,  he  put  man¬ 
agement  on  notice.  “We  said,  We  will  be 
coming  to  you,  but  first  we’re  going  to  do  a 
thorough  assessment  of  our  needs.’  We 
focused  on  quality  versus  speed.”  The  only 
people  who  usually  benefit  from  a  knee-jerk 
emotional  reaction  to  a  security  event  are  the 
vendors.  Remember:  When  pursuing  budget 
dollars,  CSOs  need  to  be  calm,  deliberate  and 
forceful. 


2  Don’t  Pass  the  Buck,  Pass 
the  Check  Another  strategy  for 
cost  savings  is  to  look  at  exactly  what 
is  included  in  the  budget.  Are  there  projects 
and  programs  that  shouldn’t  be  there?  “Secu¬ 
rity  organizations  often  pay  for  big  corporate 
programs  that  should  be  moved  into  a  business 
unit’s  budget,”  says  Bacon.  At  Wells  Fargo,  the 
security'  group  looks  for  opportunities  to  farm 
those  expenditures  back  out  to  the  business 
units.  They  are,  after  all,  the  beneficiaries  of 
many  of  these  security  programs— they  just 
don’t  realize  it  yet.  This  is  often  due  to  a  poor 
sales  job  on  the  part  of  the  security  team.  CSOs 
must  do  the  legwork  of  selling  business  units 
on  the  benefits  of  new  security  technologies 


and  programs,  and  that  can  be  hard  for  an 
organization  that  tends  to  be  autocratic  with  its 
peers.  When  successful,  however,  it’s  an  effort 
that  quite  literally  pays  for  itself. 

Bacon  finds  that  an  effective  technique  for 
getting  the  business  side  to  pay  for  a  security 
initiative  is  to  take  his  argument  to  finance 
before  trying  to  sell  it  to  the  individual  busi¬ 
ness  unit.  “For  CFOs,  consistency  is  king,” 
says  Bacon,  who  notes  that  once  you  get  the 
financial  folks  to  sign  on  to  the  notion  that  a 
business  unit  should  pay  for  its  security  ini¬ 
tiatives,  it  becomes  much  easier  to  float  that 
idea  in  the  future.  It’s  also  much  easier  to  then 
sell  the  cost  of  the  program  to  the  business 
unit  with  the  CFO’s  seal  of  approval. 

That  strategy  requires  a  particular  delicacy, 
especially  in  companies  where  the  security 
budget  has  increased  but  where  budgets  for 
operating  units  have  remained  flat.  Bacon 
expects  a  15  percent  to  20  percent  increase  in 
his  budget  for  security  equipment,  although 
the  corporate  stance  is  flat  on  business  unit 
budgets  and  staffing  across  the  board.  That,  he 
says,  places  an  even  greater  pressure  on  secu¬ 
rity  to  justify  the  dollars  it  gets  while  asking 
business  units  to  invest  in  security  as  well. 

3  Practice  Pavloviaxt  Secu¬ 
rity  CSOs  can  save  themselves 
considerable  budgetary  wrangling 
when  they  lean  on  policies,  procedures  and 
behavior  modification  techniques  instead  of 
expensive  technology  solutions.  “Nine  times 
out  of  10,  policy  changes  are  more  valuable 
than  a  financial  expenditure,”  says  Bacon. 
Instead  of  hiring  guards  and  putting  in  an 
expensive  card  access  control  program,  try 
locking  a  door  or  putting  up  a  wall.  If  policy 
changes  are  your  weapon  of  choice,  work  with 
HR  to  put  in  consistent  penalties  for  the  petty 
but  pernicious  offenses  of  letting  unautho¬ 
rized  people  through  access  controlled  doors 
or  propping  a  door  open  with  a  trash  can. 

Paul  Viollis,  a  22-year  veteran  of  law 
enforcement  and  security  and  author  of  Jane’s 
Workplace  Security  Handbook  (Jane’s  Infor¬ 
mation  Group,  2002),  postulates  that  the 
greatest  “technology”  available  to  the  security 
organization  is  one  that  is  inexpensive  yet 
generally  ignored— the  power  of  corporate 
culture  in  achieving  good  security.  “The  most 
cost-effective  way  for  any  organization  to  alio- 
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When  you're  trying  to  eke  savings  out  of 
a  security  budget,  it  can  be  tempting  to 
tell  yourself  they  are  one-time  cuts.  “I’ll 
get  back  on  track  next  year  when  fund¬ 
ing  prospects  are  rosier,”  you  promise. 
But  some  cuts  are  always  a  bad  idea. 

The  CSOs  we  spoke  to  recommend  that 
their  peers  should  never  cut  back  their 
investments  in  the  following  areas. 

ANTIVIRUS  UPDATE  RENEWAL 

Antivirus  is  a  staple  of  the  security 
budget,  and  if  the  flurry  of  worms  this 
past  August  taught  you  nothing  else,  it 
certainly  illustrated  the  idea  that  virus 
and  worm  writers  are  a  prolific  crew.  If 
they  aren’t  going  to  take  a  break,  neither 
can  you. 

PATCHING  AND  AUTOMATED 
PATCHING  TOOLS  If  only  software 
manufacturers  were  as  diligent  and 
detail-oriented  as  virus  writers.  Until 
they  are,  patching  will  be  another  core 
function  of  the  security  group  that 
can’t  be  ignored. 

EXTERNAL  SECURITY  AUDITS 

The  external  security  audit  is  a  huge 
line  item,  and  security  groups  are  often 
tempted  to  take  it  in-house  for  a  year 
or  so  to  avoid  the  exorbitant  cost.  But 
frequently  the  security  staff  is  too 
swamped  to  do  it,  and  it  gets  put  off 
until  the  next  year  and  vulnerabilities 
go  unaddressed.  Put  your  efforts  into 
haggling  down  the  cost  of  the  audit, 
but  don’t  forgo  it. 

PERIMETER  SECURITY 

You’ve  heard  it  said  that  the  corporate 
security  perimeter  is  ever-expanding, 

■ 

so  the  perimeter  defenses  that  you 
invest  in  should  be  growing  in  tandem. 
Intrusion  detection  systems  and  fire¬ 
walls  need  to  be  updated  and  upgraded  . 
to  keep  pace  with  the  rapid  expansion 
of  your  network. 

.  ' 
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“We  can  put  in  this  security,  which  is  the 
Cadillac,  or  we  can  put  in  the  Corvette 
or  the  Pinto  version.  I  lay  out  the  options 
the  cost  and  the  risk  and  let  business 
make  an  informed  decision — cUlU 

you  know,  they  never 
choose  the  Pinto.” 

-MARK  BURNETTE  (RIGHT),  GLOBAL  INFORMATION  SECURITY  OFFICER,  WILLIS  GROUP 


cate  resources  to  security  is  to  reengineer  the 
culture  of  the  company,”  says  Viollis.  “Train¬ 
ing  employees  to  be  aware  of  security  risks 
and  how  to  handle  them  is  far  more  effective 
than  throwing  money  at  a  security  front  that 
isn’t  properly  enforced.” 

And  training  doesn't  have  to  be  expensive. 
At  Textron,  Avesian’s  team  created  and 
launched  an  internal  website  devoted  to  secu¬ 
rity  awareness— The  Textron  Information 
Security  intranet.  The  site’s  content  is  focused 
on  the  employee  and  contains  security  policy 
dos  and  don’ts.  Avesian’s  barometer  for  what 
to  put  on  the  site  was  based  on  a  simple  ques¬ 
tion:  “If  I  had  only  so  much  time  to  spend 
with  each  employee,  what  would  I  want  them 
to  them  to  take  away  from  the  conversation?” 
The  result  is  a  synopsis  of  the  corporate  secu¬ 
rity  policies  and  guidelines  that  appears  in 
seven  languages  on  the  site  so  that  offices 
across  the  world  can  access  them,  as  well  as 
disaster  recovery  templates,  frequently  asked 
security  questions,  and  security  tips  and  tricks 
(such  as  a  guide  to  creating  secure  passwords). 

As  a  general  rule,  spending  a  little  money 
up  front  to  enforce  a  policy  is  usually  cheaper 
than  brazening  out  the  potential  long-term 
financial  risks  of  doing  nothing.  Investing  in 
enforcement  mechanisms  such  as  CCTV  cam¬ 
eras  at  doors,  for  example,  can  help  access 
control  problems,  will  be  cheaper  than  hiring 
guards  and  might  even  negate  the  potential 
financial  liability  that  could  be  incurred  if  lax 
access  control  ever  led  to  a  serious  security 
incident.  When  Mark  Burnette  first  joined 
Willis  Group  as  the  global  information  secu¬ 
rity  officer,  he  found  that  the  company  had 
plenty  of  good  security  policies  but  was  lack¬ 
ing  the  necessaiy  enforcement.  “You  can  write 
a  fantastic  policy,”  he  says,  “but  it  only  works 
if  you  enforce  it  and  audit  it.”  He  updated  the 
company’s  password  policy  to  require  more 
secure  passwords,  but  the  operating  system  at 
the  time  didn’t  provide  any  way  to  technically 
enforce  it.  Setting  a  secure  password  policy 
with  no  enforcement  mechanism  would  have 
been  pointless,  so  Burnette  installed  an  add¬ 
on  system  component  that  would  allow  them 
to  enforce  it. 

Become  a  Fast  Follower  Secu¬ 
rity  is  one  area  where  there  is  no 
prize  for  first  place.  That’s  especially 


true  when  CSOs  waste  their  budgets  on  new 
technologies  that  aren’t  quite  ready  for  prime 
time.  Being  the  first  CSO  to  implement  a 
brand-new  technology  might  earn  you  the 
envy  of  your  peers,  but  it  probably  won’t  get 
you  the  admiration  of  your  CFO. 

CSOs  trying  to  stretch  budgets  should  leave 
the  technology  heroics  to  others.  Which 
doesn’t  mean  you  have  to  lead  a  new  Luddite 
movement.  At  PPG,  Becker  lets  other  com¬ 
panies  be  the  technology  guinea  pigs.  “We  like 
to  think  of  our  ourselves  as  fast  followers,”  he 
says.  “We  don’t  jump  in  too  early  with  most 
technologies;  in  fact,  it’s  rare  that  we’re  ever  a 
technology  leader.”  Becker  prefers  to  wait  until 
the  kinks  have  been  worked  out,  after  others 
have  learned  the  hard  lessons.  Then  he  bene¬ 
fits  from  their  experience  when  he  feels  the 
technology  is  ready.  “I  would  never  be  com¬ 
fortable  pitching  a  biometrics  application,”  he 
says  by  way  of  example.  “We  go  with  the 
sound,  long-term,  successful  options— in  this 
case,  closed-circuit  TV  and  access  control.” 
That  might  sound  a  little  dull,  but  it’s  cer¬ 
tainly  preferable  to  the  excitement  of  having 
to  explain  to  the  board  of  directors  why  the 
expensive  biometrics  application  you  pur¬ 
chased  last  year  didn’t  work  out. 

Free  network  scanning  tools  and  open- 
source  software  can  be  tempting  ways  to 
increase  security  for  CSOs  who  are  looking  to 
cut  back  expenses.  Steve  Katz,  former  CISO 
with  Citigroup  and  Merrill  Lynch,  and  current 
president  of  Security  Risk  Solutions,  says  that 
tight  budgeting  has  led  more  than  a  few  CSOs 
to  turn  to  “free”  tools.  But  he  cautions  security 
execs  from  blindly  falling  prey  to  their  lure. 


“You’d  better  really  know  what’s  going  on  in 
that  thing,  and  you’d  better  use  a  good  code 
analysis  tool,”  says  Katz.  “When  you  use  tools 
like  that,  you  may  end  up  sleeping  like  a  baby,” 
he  says  sarcastically.  “You  get  up  every  two 
hours  and  cry.” 

Communicate  Early  and 
Often  CSOs  may  be  good  at  talk¬ 
ing  with  their  teams,  but  when  it 
comes  to  their  executive  peers,  they’re  typically 
not  as  skilled.  That  only  makes  the  task  of 
budget  planning  harder  because  poor  com¬ 
munication  means  that  the  security  team 
doesn’t  know  what  business  units  have  in  the 
works  and  which  projects  will  require  security 
attention  and  expenditure  in  the  coming  year. 
“The  security  guys  are  often  out  of  touch,” 
notes  Whit  Diffie,  CSO  of  Sun  Microsystems. 
“In  the  long  run,  cost  savings  are  going  to  be 
a  function  of  better  communication.” 

At  Willis,  one  of  the  effective  techniques 
Burnette  has  found  for  making  sure  that  secu¬ 
rity  is  brought  into  the  loop  is  the  power  of 
choice.  Interaction  with  security  is  much  more 
appealing  for  businesspeople  when  they  have 
some  control  over  what  kind  of  security  con¬ 
trols  are  going  to  be  put  in.  Business  units 
used  to  come  to  Burnette’s  security  group  with 
their  projects  nearing  completion  and  ask  for 
the  cheapest  solution  possible.  But  now  they 
come  to  security  much  earlier.  Burnette  lays 
out  options  for  them  in  all  price  ranges.  “We 
can  put  in  this  security,  which  is  the  Cadillac, 
or  we  can  put  in  the  Corvette  or  the  Pinto  ver¬ 
sion,”  he  says.  “I  lay  out  the  options,  the  cost 
and  the  risk  and  let  business  make  an 
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informed  decision— and  you  know,  they  never 
choose  the  Pinto.” 

Most  CSOs  know  by  now  that  they  have  to 
be  able  to  speak  in  business  lingo  in  order  to 
be  successful,  but  budget  issues  are  an  area 
where  this  can  be  especially  helpful.  “We  try  to 
put  [security]  in  business  terms,  and  we  out¬ 
line  it  as  we  would  any  other  cost  benefit,” 
Burnette  says.  “You  have  to  think  like  they 
think,  prove  it,  explain  the  risks,  benefits  and 
payback,  and  explain  how  it  benefits  their 
business  bottom-line.”  Security  doesn’t  have  to 
make  money— most  of  the  time  it’ll  be  a  cost. 
But  when  making  a  request  for  funding,  CSOs 
are  often  afraid  to  actually  talk  about  money. 
They  are  in  their  element  talking  about  the 
technology,  but  after  business  execs  hear  the 
words  “robust  and  scalable”  for  the  third  time, 
their  eyes  glaze  over  and  they’re  thinking 
about  how  they  shanked  the  ball  on  the  14th 


hole.  Instead,  talk  about  the  financial  benefits 
of  the  investment  you’d  like  business  to  make. 
An  improved  access  control  system  can  be 
tied  to  a  reduction  in  theft  losses  at  a  facility, 
and  an  upgraded  firewall  can  be  translated 
into  improved  network  uptime  and  a  drop  off 
in  nuisance  viruses. 

Believe  in  Vendors  OK.  So, 

right  now  you’re  raising  a  single 
eyebrow— maybe  both— and  asking 
“When  has  a  security  vendor  ever  saved  me 
money?”  Probably  never,  we  know,  because 
most  CSOs  treat  vendors  like  an  opposing 
combatant  in  battle  who  just  happened  to  end 
up  in  the  same  trench.  But,  if  you  turn  those 
arm’s-length  relationships  into  strategic  part¬ 
nerships,  you  can  squeeze  a  much  greater  ben¬ 
efit  out  of  the  money  you’re  already  paying 
them  and  offload  security  tasks  that  you  don’t 


have  the  budget  to  do  in-house. 

Try  challenging  your  vendors  to  deliver 
more  value  for  the  exorbitant  prices  you’re 
paying.  “Push  as  much  as  you  can  onto  ven¬ 
dors,  and  use  their  resources  as  an  extension 
of  your  programs,”  suggests  Bacon. 

Avesian  has  formed  strong  relationships 
with  his  third-party  providers,  AT&T  and 
IBM,  and  calls  it  a  “real”  partnership,  as 
opposed  to  the  kind  that  you  hear  about  in  a 
press  release  or  advertisement.  Representa¬ 
tives  from  IBM  and  AT&T  are  members  of 
Avesian’s  security  leadership  team,  and  he 
goes  to  them  for  just  about  everything 
security-related,  whether  or  not  it  falls  within 
the  delineation  of  their  contract.  He’s  had 
IBM  host  a  disaster  recovery  workshop  at  Tex¬ 
tron,  runs  security  policies  by  them  and  has 
visited  their  security  operations  facility  in 
Boulder,  Colo.,  to  see  new  technologies  and 
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further  his  own  security  education. 

But  as  everyone  knows,  security  vendors 
can  also  be  indifferent  partners  to  say  the 
least.  CSOs  can  sometimes  save  money  and 
achieve  a  higher  quality  of  service  if  they  are 
able  to  redeploy  their  own  internal  resources 
to  accomplish  a  task.  At  PPG  Industries, 
Becker  has  been  frustrated  with  the  level  of 
reliability  and  service  of  their  access  control 
vendor  and  is  examining  strategies  in  that 
area  and  others  to  eliminate  service  agree¬ 
ments  and  bring  some  functions  back  in- 
house.  “It’s  tough  to  get  attention  when  there 
are  just  a  few  big  players  in  the  market,”  com¬ 
plains  Becker.  PPG  is  already  successfully  rely¬ 
ing  on  its  technical  staff  in  its  R&D  business 
centers  to  do  more  and  more  of  the  general 
security  tech  support. 

Use  People,  in  a  Good  Way 

When  budgets  tighten,  the  security 
organization’s  staff  often  falls  under 
the  scrutiny  of  business  leaders  eager  to  cut 
costs.  While  CSOs  hate  to  lose  their  employ¬ 
ees,  the  justification  has  to  be  there  for  each 
person  on  the  payroll.  At  Avaya,  Allison  looks 
for  ways  to  get  value  out  of  every  member 
of  her  team.  “There’s  a  tendency  to  cut  back 
on  staff,  and  they  really  are  the  biggest  invest¬ 
ment  that  you  have,”  she  says.  As  in  any 
industry,  the  younger  employee  is  cheaper, 
but  in  security,  youth  is  no  match  for  experi¬ 
ence.  “I  may  have  a  young  investigator  and 
an  old  investigator,  but  the  older  guy  can  get 
that  confession  on  the  table,”  says  Allison. 
Instead  of  teaching  old  dogs  new  tricks,  Alli¬ 
son’s  strategy  is  to  let  the  old  dogs  and  the 
young  dogs  run  together  and  learn  from  each 
other. 

The  importance  of  keeping  skilled  employ¬ 
ees  over  cheaper,  inexperienced  labor  is  sec¬ 
onded  by  Stephen  Baker,  vice  president  and 
manager  of  corporate  security  at  State  Street 
Corp.  “I  would  rather  pay  more  money  and 
have  less  officers  than  have  a  whole  bunch  of 
officers  that  don’t  know  what  they’re  doing,” 
he  says.  "I  want  the  ex-military  guy  that  knows 
when  to  ask  questions,  and  I  think  that’s  a  lot 
more  valuable  than  a  high  school  student  on 
a  learning  curve.” 

One  area  that  most  CSO  agree  is  ripe  for 
finding  cost  savings  is  in  guard  contracts. 
“Everybody  spends  millions  on  guards  whose 


contracts  must  be  continually  reassessed,”  says 
Bacon.  That’s  challenging  because,  as  he 
points  out,  guards  become  “an  emotional  fix¬ 
ture.”  Even  in  cases  where  they  are  not  adding 
enormous  concrete  value,  people  perceive  a 
greater  sense  of  security  because  of  their  pres¬ 
ence.  Bacon  has  used  technology  to  reduce 
some  of  those  guard  costs  with  the  integration 
of  access  control,  CCTV  and  digital  video  sys¬ 
tems  to  remotely  monitor  sites. 

Automation  of  tasks  such  as  patching  soft¬ 
ware  can  also  produce  tremendous  cost  sav¬ 


ings.  When  the  Blaster  worm  started  making 
its  rounds,  the  security  team  at  Willis  had  to 
manually  patch  the  software  on  many  of  its 
machines  as  well  as  get  on  the  phone  to  offices 
around  the  world  to  walk  them  through  the 
patching  process.  It  was  a  successful  effort, 
but  Burnette  estimates  that  the  task  took  his 
team  the  equivalent  of  about  200  workdays  to 
accomplish.  It  clarified  the  importance  of 
automating  patching  as  well  as  other  rote 
tasks  that  zap  his  organization’s  time  and 
funding. 

Deputizing  individuals  in  other  business 
units  to  act  as  ad  hoc  security  personnel  is 
another  effective  strategy  that  CSOs  use  to 
expand  their  security  staff  without  stretching 
their  budgets.  At  PPG,  Becker  utilizes  the 
human  resources  and  health  and  safety  indi¬ 
viduals  at  some  remote  locations  as  his  onsite 
security  people.  “If  you  can  increase  the 
amount  of  time  someone  spends  on  security 
by  5  percent— that’s  a  free-to-me  cost  sav¬ 
ings,”  he  says.  Bacon  does  the  same  thing  by 
treating  security  as  a  team  sport  and  relying 
on  multiple  business  units  to  complete  a  proj¬ 


ect.  “They  don’t  work  for  us,  and  we  don’t 
work  for  them,”  he  says.  “But  we  use  four  to 
five  business  lines  to  complete  a  project— 
another  reason  that  our  funding  efforts  are 
successful.”  When  Bacon  makes  a  presenta¬ 
tion,  it’s  not  just  his  name  on  the  bottom  line, 
it’s  a  team  effort. 

CSOs  need  to  be  able  to  speak  the  business 
language;  they  should  make  their  security 
decisions  based  on  the  business  fundamen¬ 
tals  of  risk  and  ROI.  Nowhere  is  that  more 
important  than  in  the  budgeting  process, 


where  CSOs  need  to  be  able  to  weigh  cuts  and 
expenditures  with  the  clear-eyed  steadiness 
of  a  CFO.  “Typically,  the  average  life  of  a  CSO 
at  a  company  is  something  like  18  months,” 
says  Allison.  “During  the  first  six  months,  they 
ask  for  the  moon,  and  by  the  last  six  months 
they  probably  don’t  get  anything.  That’s  not  a 
casual  effect,”  she  adds.  “It  points  to  the  lack 
of  business  skills  needed  to  get  the  budget 
through.” 

CSOs  who  learn  to  marry  an  intelligent 
evaluation  of  where  to  cut  with  some  of  the 
softer  business  skills  and  techniques  needed  to 
make  a  compelling  case  for  funding  are 
destined  to  be  the  real  players  within  their 
companies.  ■ 

Send  feedback  to  Senior  Editor  Daintry  Duffy  via  e-mail  at 
dduffy4cxo.com. 


Defend  Your  Budget 

Tina  LaCroix,  CISO  of  Aon,  answered  readers’  questions 
about  security  budgets  in  the  February  2003  session  of 
Security  Counsel.  Go  to  www.csoonline.com/counsel. 


“I  would  rather  pay 
more  money  and 
have  less  officers  than 

have  a  whole  bunch  of  officers  that 
don’t  know  what  they’re  doing.” 

-STEPHEN  BAKER,  VP  AND  MANAGER  OF 
CORPORATE  SECURITY,  STATE  STREET  CORP. 
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As  Chief  Security  Officer  at  Exostar,  Jeff  Nigriny  has  a  lot  on  his  mind.  After  all,  clients  like  Rolls-Royce  place 
their  trust  in  Exostar’s  online  collaboration  tools.  One  breach,  and  years  of  work,  perhaps  billions  in  assets,  might 
be  compromised.  But  with  VeriSign’s  Security  Intelligence  &  Control™ Services,  Nigriny  has  been  freed.  Freed  from 
worrying  about  the  day  to  day  issues,  like  tracking  intruders  and  maintaining  the  firewall. 

And  freed  to  pursue  new  strategies  and  product  applications  leveraging  the  real-time 
information  and  response  capabilities  he  now  gets  from  VeriSign.  He’s  probably  working  on 
other  initiatives  as  well,  but  he  didn’t  mention  them.  This  guy  knows  how  to  keep  a  secret. 

To  learn  more  about  VeriSign's  new  Security  Intelligence  and  Control^ Services,  visit  www.verisign.com 


The  Value  of  Trust  " 


©  2003  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  Security  Sets  You  Free,  Security  Intelligence  and  Control,  and  other  trademarks,  service  marks,  and  logos  are  registered  or 
unregistered  trademarks  of  VeriSign  and  its  subsidiaries  in  the  United  States  and  in  foreign  countries. 


U.S.  companies  continue  a  pell-mell  rush  into  offshore 
outsourcing  of  software  development.  Those  that  haven’t 
stopped  to  look  at  global  intellectual  property  law  are  in  for  a 

big  surprise.  By  Michael  Fitzgerald 


IN  THIS  STORY:  How  offshore  software  development  puts  intellectual 
property  at  risk  ■  Developing  intellectual  property  case  law  in  India 
■  How  to  write  a  safer  offshore  outsourcing  contract 
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Offshore  Outsourcing 


The  Stin 

N  A  TYPICALLY  STEAMY  NEW  DELHI 
day  in  late  August  2002,  Nenette  Day  walked  into  the  Ashoka,  one  of  the  city’s  best 
hotels,  for  a  meeting  with  Shekhar  Verma.  Verma  had  been  fired  from  his  job  at 
Geometric  Software  Solutions  Ltd.  (GSSL),  an  outsourcer  based  in  Bombay.  He 
claimed  to  have  the  source  code  for  SolidWorks  Plus’s  3-D  computer-aided  design 
package,  which  GSSL  was  debugging.  Verma  had  contacted  a  number  of  Solid- 
Works’  competitors  and  offered  to  sell  them  the  source  code.  Day,  an  American, 
had  taken  the  bait  and  flown  to  New  Delhi.  After  confirming  that  what  Verma  pos¬ 
sessed  was  indeed  SolidWorks’  source  code,  Day  began  negotiating  on  price,  even¬ 
tually  bargaining  him  down  to  $200,000  for  the  code.  The  deal  struck,  Day  got  up 
and  left  the  room.  Then  agents  from  India’s  Central  Bureau  of  Intelligence  (CBI) 
swept  in  and  arrested  Verma.  Day  was  not  arrested— she  is  actually  a  special  agent 
out  of  the  FBI’s  Boston  Cybercrime  Unit  and  had  gone  undercover  to  work  with 
the  CBI  on  this  case,  the  first  undercover  operation  for  the  FBI  in  India. 

The  arrest  led  to  the  first  prosecutorial  filing  for  outsourcing-related  intellectual 
property  (IP)  theft  in  India,  in  a  case  that  may  come  to  trial  before  year’s  end.  Given 
that  software  outsourcing  was  a  multibillion-dollar  business  in  India  last  year,  the 
trial  'will  draw  close  scrutiny  from  both  sides  of  the  world.  Sound  like  an  open-and- 
shut  case?  Day  herself  is  not  nearly  so  confident.  “With  no  case  precedents,  the  real¬ 
ity  is  we  have  no  idea  how  this  plays  out  under  their  law,”  she  says.  Day  also  says 
that  Verma  made  two  small  mistakes  (she  declines  to  specify  them)  without  which 
he  could  have  already  gotten  off  scot-free,  and  that  after  a  full  week  in  India  work¬ 
ing  with  the  prosecutors  this  fall,  Day  still  doesn’t  understand  the  applicability  of 
at  least  one  of  the  critical  charges. 

Intellectual  property,  if  stolen,  “is  a  genie  that  can’t  be  put  back  in  the  bottle,” 
says  Day.  Currently,  she  says,  “there  is  really  no  law  to  protect  American  compa¬ 
nies’  intellectual  property.” 

U.S.  companies  need  to  think  seriously  about  what  that  means.  Consulting  com¬ 
pany  McKinsey  estimates  that  by  2010,  the  U.S.  IT  industry  will  save  $390  billion 
through  offshore  outsourcing  of  software  development.  But  it  also  opens  up  new 
channels  of  industrial  espionage  in  bitterly  poor  nations  that  often  don’t  have  laws 
protecting  foreign  companies  and  rarely  enforce  whatever  laws  may  exist.  India,  obvi¬ 
ously  eager  to  protect  its  national  income  from  outsourcing,  is  scrambling  to  demon¬ 
strate  that  it  takes  foreign  intellectual  property  seriously.  Some  observers  say  that 
other  countries  vying  for  outsourcing  dollars  are  even  worse  when  it  comes  to  pro¬ 
viding  legal  protection  for  intellectual  property.  Court  cases  are  still  relatively  hard 
to  find,  but  that’s  about  to  change.  Smart  companies  need  to  reexamine  their  out¬ 
sourcing  contracts  and  make  sure  that  they  aren’t  at  risk  of  becoming  the  test  cases. 

The  Jungle 

IT  WOULD  BE  WILDLY  SPECULATIVE  TO  SUGGEST  THAT  THE 
SolidWorks  case  will  even  slow  the  bullet  train  that  is  offshore  outsourcing  of 
software  development.  The  National  Association  of  Software  &  Service  Companies 
(Nasscom)  alone  expects  its  outsourcing  business  in  India  will  increase  by  26  per¬ 
cent  to  28  percent  this  year  (Gartner  predicts  even  faster  growth  for  higher-level 
business  process  outsourcing  worldwide).  India’s  IT  sector  exported  $10  billion 
worth  of  goods  and  services  last  year,  and  projects  it  will  reach  $21  billion  to 
$24  billion  in  2008.  Meamvhile,  Forrester  Research  estimates  that  in  the  next 


12  years,  3.3  million  IT  jobs  will  leave  the  United  States 
and  go  overseas.  These  trends  won’t  reverse  because  of  one 
case  of  an  employee  gone  bad.  “This  is  dealing  with  a 
rogue  employee  who  left  and  stole  information.  That  hap¬ 
pens  everywhere,”  says  William  B.  Bierce,  partner  in  Bierce 
&  Kenerson,  a  New  York  law  firm  specializing  in  out¬ 
sourcing  and  international  business  law. 

The  key  question,  of  course,  is  the  real  degree  of  risk 
U.S.  companies  face.  If  overseas  IP  theft  court  cases  are 
hard  to  find,  doesn’t  it  stand  to  reason  that  CIOs  and  CSOs 
are  doing  a  decent  job  of  protecting  corporate  IP  assets? 
Dean  Davison,  vice  president  and  director  of  outsourcing 
and  service  provider  strategies  at  Meta  Group,  empha¬ 
sizes  that  he  almost  never  hears  complaints  about  IP  thefts, 
and  in  general  doesn’t  hear  horror  stories  about  overseas 
outsourcing.  On  the  other  hand,  Elliot  Turrini,  an  attor¬ 
ney  with  McElroy,  Deutsch  &  Mulvaney,  sounds  much 
more  dire.  “Intellectual  property  is  a  legal  fiction  we’ve  cre¬ 
ated  to  ensure  a  return  on  investment  and  promote  the  arts 
and  sciences,”  he  says.  In  countries  with  less  developed 
laws,  Turrini  says,  “Basically  you’re  wide  open.” 


THE  IRONY:  While  these  IP  theft 
cases  are  from  India,  that  country 
actually  has  a  much  better 
cultural  and  legal  climate  for  IP 
protection  than  many  other 
nations  offering  offshore  coding. 

Anecdotally,  there  are  additional  examples  of  IP  spats 
overseas.  Davison  does  say  he’s  aware  of  one  case  where  a 
U.S.  company  outsourced  product  design  to  an  Indian 
firm,  which  successfully  completed  the  project,  then  turned 
around  and  used  the  code  to  create  a  version  for  the  Indian 
market.  The  U.S.  company  didn’t  care  because  it  had  no 
interest  in  the  Indian  market.  A  third  case  is  currently 
pending  in  India.  Legato  Systems,  a  maker  of  storage  soft¬ 
ware,  has  alleged  that  eight  of  its  former  employees  in 
India  took  some  of  its  intellectual  property  with  them 
when  they  went  to  a  competitor.  Legato  declined  to  com¬ 
ment  on  the  action  publicly,  though  one  of  its  officials, 
speaking  as  an  individual,  told  an  Australian  publication 
in  February  that  he  would  recommend  against  future  off¬ 
shoring  in  countries  without  better  legal  protections. 

The  irony:  While  these  IP  theft  cases  are  from  India,  that 
country  actually  has  a  much  better  cultural  and  legal  climate 
for  IP  protection  than  many  other  nations  offering  offshore 
coding.  Observers  say  India  has  a  culture  that  generally 
seems  to  respect  intellectual  property',  as  compared  with 
China  or  Russia,  for  example— consider  those  nations’ 
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records  regarding  piracy  of  shrink-wrapped  software  and  of 
copyrighted  materials  such  as  movies  and  music. 

Indeed,  Indian  prosecutors  in  the  SolidWorks  case 
appear  to  have  decided  to  charge  Verma  in  part  to  estab¬ 
lish  firmer  support  for  IP  rights.  India  does  not  have  laws 
against  trade  theft,  so  prosecutors  filed  charges  against 
Verma  under  a  general  civil  theft  law,  with  a  secondary 
charge  of  criminal  breach  of  trust  against  his  employer, 
GSSL.  Another  charge,  pertaining  to  copyright  law  under 
India’s  recently  enacted  IT  Act,  was  added  later.  But 
despite  being  caught  red-handed,  Verma  might  well  win 
his  case.  Because  the  source  code  didn’t  belong  to  GSSL, 
technically,  Verma  didn’t  steal  from  an  Indian  company. 
Thus  India’s  laws  don’t  necessarily  apply.  It’s  a  frustrating 
situation  for  U.S.  law  enforcement  officials.  As  Day  says, 
“How  can  he  steal  something  from  GSSL  when  they  don’t 
own  it?  And  when  the  nondisclosure  breach  of  trust  was 
signed  between  him  and  SolidWorks?” 

Those  are  fine  questions,  and  U.S.  companies  should 
look  closely  at  the  way  the  Indian  courts  and  government 
respond  to  them. 

Nondisclosure  works  well  in  the  United  States,  which 
has  laws  like  the  Industrial  Espionage  Act  of  1996,  which 
makes  it  a  criminal  offense  to  steal  trade  secrets.  But  the 
law  does  not  apply  to  non-U.S.  citizens  acting  outside  U.S. 
borders.  Bierce,  though,  says  India’s  reaction  is  already 
reassuring  for  U.S.  companies.  “Even  if  [the  prosecutor] 
doesn’t  win,  he’s  inspired  fear,”  he  says.  He  also  says  that 
if  prosecutors  lose  the  case,  they’ll  almost  certainly  com¬ 
plain  that  India’s  existing  legal  structures  are  not  sufficient. 
Bierce  predicts  that  “some  bright,  young  legislator  will 
propose  a  new,  more  specific  law.” 

The  Fine  Print 

PERHAPS.  THEN  AGAIN,  IT  MAY  BE  A  LONG 
wait.  Many  observers  still  say  too  few  U.S.  companies 
worry  about  intellectual  property  theft  when  they  send 
software  development  overseas,  and  that  those  that  do 
fret  nevertheless  don’t  make  sufficient  efforts  to  protect 
themselves  contractually.  Why  the  Alfred  E.  Neuman-like 
serenity?  In  the  case  of  India,  which  by  some  estimates  has 
about  90  percent  of  the  market  for  offshore  software  out¬ 
sourcing,  it’s  largely  because  the  country  is  a  member  of  the 
World  Trade  Organization  and  adheres  to  its  intellectual 
property  add-on,  Trips  (Trade-Related  Aspects  of  Intel¬ 
lectual  Property  Rights).  In  addition,  several  of  the  largest 
Indian  outsourcing  companies  are  incorporated  in  the 
United  States  and  can  be  sued  here.  But  Trips  protections 
still  must  be  enforced  locally,  and  no  countries  promi¬ 
nent  in  software  outsourcing  have  local  laws  covering  theft 
of  trade  secrets. 


HELP  PROTECT  YOUR 
INTELLECTUAL  PROPERTY 


ISend  people  to  inspect  the  physical  premises  where  the  software 
will  be  written.  Note  whether  buildings  have  basic  security  check¬ 
in  procedures  and  the  like.  Find  out  what  kind  of  access  people  have  to 
key  systems. 


2  Look  closely  at  the  way  networks  function,  particularly  if  you 
plan  to  use  virtual  private  networks.  These  are  good  for  cross¬ 
facility  communications,  but  make  it  easier  for  remote  employees  to 
work  from  home  or  on  notebook  computers,  which  can  increase  vul¬ 
nerability. 


3  Protect  important  information,  like  source  code,  with  passwords 
and  access  codes,  and  make  sure  that  these  are  not  widely  avail¬ 
able,  either  in  the  United  States  or  at  the  outsourcing  location. 
Approvals  do  reduce  flexibility,  but  not  as  much  as  they  reduce  risk. 


4  Demand  that  the  outsourcer  have  tight  human  resources 

screening.  Look  for  employee  retention  figures,  find  out  if  com¬ 
petitors  do  business  with  the  same  companies,  and  if  so,  ensure  that 
there  is  no  contact  between  teams. 


5  Know  what  risks  your  own  organization  can  take.  Regulated 
industries  such  as  health  care  and  financial  services  need  to 
keep  closer  controls  over  data  and  software  development  than,  say, 
packaged  goods  companies. 

©Work  to  understand  the  legal  system  and  culture  of  both  coun¬ 
tries.  Negotiate  contracts  that  make  the  offshore  company 
responsible  for  the  actions  of  its  employees. 

Budget  for  greatly  increased  telecom  costs,  as  well  as  for  regular 
visits  to  the  outsourcer. 

Make  sure  that  any  test  data  being  used  does  not  expose  real 
information  traceable  to  real  customers. 

d  Always  maintain  an  original  copy  of  source  code.  This  step 

seems  obvious,  but  in  one  Y2K  outsourcing  case,  a  company  was 
unable  to  prove  a  bug  had  been  added  to  a  program  because  it  had 
not  kept  its  source  code.  -M.F. 


“Complying  with  Trips  is  a  starting  point,  but  plenty  of  countries  have  signed 
Trips  agreements.  China  is  one  of  them,  but  there  are  plenty  of  examples  of  piracy 
or  misappropriation  of  design  by  Chinese  firms,”  says  Michael  Murphy,  an  attor¬ 
ney  at  Shaw  Pittman  in  Los  Angeles.  Trips  signers  or  not,  if  a  country’s  culture  does 
not  respect  property,  the  courts  are  unlikely  to  enforce  laws.  Several  sources  inter¬ 
viewed  for  this  article  agreed,  though  not  for  attribution,  that  China  regards  intel¬ 
lectual  property— especially  that  of  foreigners— as  communal  property. 

Despite  its  near  miss  on  source  code,  SolidWorks  has  no  plans  to  stop  outsourc¬ 
ing  to  India.  It  won’t  even  change  business  partners.  It  has  worked  closely  with  GSSL 
for  more  than  six  years,  and  has  had  the  company  do  its  debugging  for  the  past  five. 
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Offshore  Outsourcing 


THE  TRUTH  IS,  SolidWorks  got  lucky.  Shekhar  Verma  allegedly  contacted  several 
competitors;  only  one  of  them  told  SolidWorks  that  its  source  code  was  up  for  sale. 


“It’s  been  a  very  good  relationship  for  us,”  says  Holly  Stratford,  vice  president 
and  general  counsel  for  SolidWorks.  “We  think  it’s  very  cost  efficient,  and  it’s  a  tal¬ 
ented  group  of  people.  At  times  they’ve  been  almost  a  virtual  office  of  ours.” 

Instead,  both  companies  underwent  intensive  internal  security  analyses,  Strat¬ 
ford  says.  “We  obviously  reviewed  with  them  what  their  procedures  were  that 
made  this  possible,  and  they  instituted  a  lot  of  revised  procedures,”  most  of  which 
she  won’t  disclose,  though  she  does  note  that  GSSL  won’t  let  employees  take  home 
source  code  to  work  on  it  anymore.  SolidWorks  also  has  substantially  changed  its 
security  procedures  for  U.S.  workers,  ranging  from  the  way  it  handles  access  codes 
and  office  security  to  what  it  makes  available  on  servers  for  remote  workers.  She 
says  this  might  create  some  inconvenience  for  employees,  but  they  don’t  grumble 
much  about  it.  Stratford  says  the  prompt  response  by  the  FBI  and  India’s  CBI 
quickly  addressed  SolidWorks’  main  concern,  which  was  making  sure  it  got  its 
source  code  back.  After  the  sting,  all  the  copies  of  the  source  code  were  recovered 
from  Verma’s  quarters.  As  for  any  strain  in  relations,  she  says  matter  of  factly  that 
“the  reality  is,  everybody  has  the  same  issue  with  their  own  employees.”  To  her,  a 
potential  landmark  case  serves  mostly  as  “a  wake-up  call.” 

The  truth  is,  SolidWorks  got  lucky.  Verma  allegedly  contacted  several  com¬ 
petitors;  only  one  of  them  told  SolidWorks  that  its  source  code  was  up  for  sale. 

Praba  Manivasager,  CEO  of  Renodis,  an  offshore  advisory  firm,  says  that  he 
expects  the  Indian  government  to  move  quickly  in  passing  stronger  intellectual 
property  laws,  with  the  full  support  of  Nasscom,  India’s  main  software  association 
and  a  powerhouse  lobbyist  in  the  country. 

Manivasager  notes  that  the  Indian  government  is  already  working  to  change  its 
traditional  reputation  of  being  guarded  and  difficult  to  work  with,  both  because  the 
country  is  competing  with  China  for  overseas  investment  and  because  existing  busi¬ 
ness  investors  were  nervous  about  India’s  near-war  with  Pakistan  two  years  ago. 
“It’s  actually  overhauled  a  lot  of  international  policies  to  help  foreign  investors  come 
into  India,”  he  says.  “This  case  could  serve  as  a  landmark  case,  but  it  will  most  likely 
solidify  what  we  are  seeing,  which  is  more  and  more  support  for  international  busi¬ 
ness.  The  Indian  government  has  a  lot  to  lose”  if  it  doesn’t  take  the  case  seriously, 
he  adds. 

The  Closing  Argument 

LAWS  OR  NO  LAWS,  MANY  BELIEVE  IT  WOULD  HELP  IF  U.S. 
companies  would  treat  offshore  software  outsourcing  with  greater  care.  Many 
companies  looking  to  farm  out  their  development  work  care  only  about  dollar  sav¬ 
ings  and  can  be  sloppy  about  everything  else. 

Ken  Pfeil,  CSO  at  Capital  IQ,  says  the  SolidWorks  theft  case  should  ring  alarm 
bells  at  ever}'  company  that  wants  to  outsource.  “You  really  have  to  dig  on  due  dili¬ 
gence,”  he  says.  “[Require]  background  checks  on  employees,  look  at  the  company 
history  and  financial  stability,  look  at  their  retention  rates  for  employees.”  Turrini, 
the  lawyer,  recommends  putting  someone  with  deep  pockets  on  the  hook.  For 
instance,  insist  on  indemnification  agreements  with  the  outsourcing  provider, 
and  make  sure  that  provider  has  substantial  assets  in  the  United  States  just  in  case. 
Failing  that,  he  recommends,  get  insurance  for  source  code. 

While  those  steps  might  sound  straightforward,  companies  often  fail  to  take  even 


basic  steps  to  check  on  potential  suppliers,  according  to  Bill 
Malik,  who  spent  11  years  as  an  analyst  at  Gartner.  He 
declined  to  name  names  but  said  that  “people  far  too  often 
don’t  do  their  due  diligence.  I’ve  seen  organizations  that 
just  want  to  take  a  pass  on  the  whole  thing.  They  just 
want  to  outsource  development  to  the  cheapest  vendor.” 

Usually,  such  hasty  decisions  are  driven  by  the  need  to 
keep  up  profits  and  revenue.  Looking  at  short-term  finan¬ 
cial  gains  is  a  huge  mistake,  Malik  says,  and  cases  like  the 
one  unfolding  in  India  show  why. 

Also  ahead:  a  shift  in  the  outsourcing  market  that  will 
put  intellectual  property  protection  in  the  spotlight.  The 
first  wave  of  software  outsourcing  has  focused  on  appli¬ 
cation  development  and  maintenance,  both  of  which  have 
fairly  contained  levels  of  risk,  outside  of  the  odd  rogue 
employee  like  Verma.  But  as  companies  move  more  and 
more  types  of  software  development  overseas,  such  as 
databases  and  other  packaged  applications,  they  need  to 
think  about  what  kind  of  data  they  make  available  for 
testing.  Also,  Nasscom  members  are  aggressively  seeking 
out  higher-end  business  process  outsourcing  (BPO)  oppor¬ 
tunities,  such  as  call  centers  and  claims  processing.  India 
did  more  than  $1.2  billion  in  this  type  of  work  last  year  and 
expects  to  generate  $16  billion  in  revenue  from  BPO  in 
10  years.  These  kinds  of  applications  create  thorny  issues 
about  personal  data  protection  for  U.S. -based  customers. 

Legal  eagles  such  as  Bierce  say  that  India  and  other 
nations  interested  in  drawing  more  high-end  software 
work  such  as  BPO  need  to  adopt  laws  that  protect  personal 
information  when  it’s  transferred  from  other  countries. 
“Software  development  is  easy— you  don’t  have  data  pro¬ 
tection  problems  until  you  start  populating  a  database,” 
Bierce  says.  He  notes  that  Nasscom  is  working  on  such  a 
law,  though  it  failed  to  generate  one  in  a  similar  effort 
several  years  ago.  The  push  for  call  centers,  claims  pro¬ 
cessing  and  other  back-office  work  means  that  U.S.  com¬ 
panies  must  reassess  what’s  at  stake.  As  offshore  vendors 
deal  more  and  more  often  with  customers  and  specific 
customer  data,  the  potential  for  abuse  rises.  ■ 

Michael  Fitzgerald  is  a  freelance  writer  based  in  California.  Send  feedback 
to  Executive  Editor  Derek  Slater  at  dslatemcxo.com. 


More  Legal  Matters 


Read  "Privacy’s  New  Image"  from  the  October  2003  issue  of  CSO  to  learn 
how  privacy  standards  and  laws  overseas  are  affecting  U.S.  policy.  Type 
the  DocID  number  (above)  into  the  search  box  at  www.csoonline.com  to 
find  the  article  online. 
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Need  to  comply  with  regulatory  require¬ 
ments  for  data  privacy  and  security? 

Or  meet  internal  business  requirements 
and  policies?  Then  you  need  Entegra. 

Entegra  is  a  comprehensive  data 
integrity  solution  that  helps  your  enter¬ 
prise  address  compliance,  risk,  security, 
and  operations  requirements.  Know 
how  your  data  assets  are  being  used. 
Account  for  who’s  accessed  what  infor¬ 
mation  -  and  what  changes  were  made. 


Find  out  more.  Request  your  free 
white  paper,  "Data  Access 
Accountability  -  Who  Did  What  To 
Your  Data  When?"  by  visiting 

www.lumigent.com/go/cso. 
Or  call  us  at  1  866-LUMIGENT 

(1-866-586-4436). 


Safeguarding  the  integrity  • 
and  availability  of  enterprise  data 


Copyright  ©  2003  Lumigent  Technologies,  Inc.  All  rights 
reserved.  Lumigent,  Entegra  and  the  Lumigent  Logo  are  trade¬ 
marks  or  registered  trademarks  of  Lumigent  Technologies,  Inc. 


If  someone  viewed  your  most  sensitive 
corporate  information,  who  would  know? 
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TEAM  CAPTAIN  CSO  Pamela  Fusco 
says  more  than  1,000  employees  and 
clients  help  shape  Digex’s  security 
efforts. 


The  best  defense  isn’t  sitting  around 
with  your  fingers  crossed.  Digex  CSO 
Pamela  Fusco  would  rather  take  the  battle 
to  the  hackers.  By  Ann  Harrison 


A 


colleague  at  Digex  describes  Pamela  Fusco  as  a  madwoman.  It’s  a  compliment— although 
when  the  comment  is  relayed  to  Fusco,  her  response  is  to  quip,  “Really?  Remind  me  to  restrict 
his  network  access.”  Fusco  is  chief  security  officer  at  Digex,  an  Internet  hosting  company  head¬ 
quartered  in  Laurel,  Md.  She’s  a  Navy  intelligence  veteran,  married  to  another  security  professional, 
and  she  talks  about  the  challenges  of  information  security  with  unabashed  enthusiasm.  So  is  it 
surprising  that  Fusco  and  Digex  don’t  sit  back  and  wait  for  trouble  to  find  them? 

Digex  prepares  for  attacks  by  conducting  a  full  security  audit  every  24  hours  and  actively  gathers  information 
on  exploits  and  vulnerabilities.  The  company  uses  this  data  to  not  only  identify  common  attacks  but  to  trace 
the  source  of  the  hostile  actions,  block  them  and  then  try  to  identify  the  attackers.  Fusco  and  her  group  use 
honeypots,  digital  forensics  tools  and  an  active  incident  response  team,  and  they  share  their  data  with  law 
enforcement  where  Digex’s  clients  deem  it  appropriate. 

“Aggressive?  Perhaps,”  says  Fusco,  when  asked  to  describe  her  approach.  “Mission-oriented,  definitely.”  But 

maintaining  that  attitude  involves  a  new  set  of  expenses  and  risks.  Jeff 
Moss,  president  and  CEO  of  Black  Hat,  a  computer  security-  consul¬ 
tancy  and  training  company,  estimates  that  less  than  5  percent  of  all 
companies  even  have  an  incident  response  group  that  can  preserve 
evidence  and  collect  a  chain  of  forensic  information  to  assist  in 
investigating  hack  attempts.  Where  Digex’s  policies  have  a  search-and- 
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destroy  flavor,  the  prevalent  infosecurity 
approach  in  today’s  corporate  world  might  be 
better  described  as  hide-and-hope.  Fusco 
admits  the  aggressive  tack  isn’t  necessarily 
right  for  everyone,  but  CSOs  should  consider 
whether,  for  their  particular  businesses,  the 
payoff  might  be  worth  the  extra  effort. 

Fusco’s  team  has  an  obvious  motive 
for  pursuing  world-class  network 
security.  At  Digex,  the  network  is  the 
business.  The  company  provides 
managed-hosting  and  connectivity 
services.  Its  768  employees  and  four  global 
operations  centers  support  509  clients  in 
industries  as  wide  ranging  as  finance  and  edu¬ 
cation.  In  addition  to  hosting,  Digex  also 
develops  and  manages  enterprise  applications, 
firewalls,  e-mail  servers  and  databases.  If  the 
network  is  unreliable  or  customers  find  their 
data  is  getting  poached,  Digex  won’t  hold 
those  clients  for  long. 

It’s  a  high-pressure  environment.  A  pas¬ 
sionate,  energetic  and  no-nonsense  woman, 
Fusco  radiates  exactly  the  kind  of  can-do  atti¬ 
tude  that  nervous  clients  would  want  at  the 
helm  of  the  security  effort.  After  working  for 
U.S.  Navy  intelligence,  Fusco  was  hired  by 
EDS  for  its  government  business  branch. 
Fusco  says  she  and  her  husband,  a  retired  U.S. 
Marine,  are  constantly  interchanging  their 
security  strategies  and  designs.  And  Fusco 
pays  attention  to  details  and  is  irritated  by 
avoidable  mistakes. 

She  notes,  for  instance,  that  companies 
should  make  sure  that  their  machines  are 
patched  and  not  granting  access  via  vendor 
default  passwords  that  come  packaged  with 
commercial  software.  “Come  on  folks!”  says 
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Fusco  in  a  tone  that  she  might  reserve  for  an 
inattentive  sailor.  “Start  with  the  basics!” 

As  Fusco  recalls,  when  she  arrived  at  the 
company  in  1998,  Digex  had  to  do  exactly  that. 
There  was  no  security  team,  and  Digex  needed 
to  take  baby  steps  “to  get  a  grip  on  what  we 
had  within  our  data  centers,  detail  the  net¬ 
work  and  incorporate  security  at  every  layer” 
just  to  get  out  of  constant  fire-fighting  mode. 
But  after  only  a  few  of  months  on  the  job, 
Fusco  says,  she  got  charged  up  and  decided 
that  she  wanted  to  go  well  beyond  the  basics 
and  make  dramatic  improvements— not  only 
at  Digex,  but  also  in  the  larger  security 
community. 

Flash-forward  to  today:  Digex  has  arrived 
at  a  strategy  that  incorporates  aggressive  tech¬ 
niques  on  top  of  a  sound  architectural  base. 
She  has  presented  her  security  strategies  to  a 
number  of  organizations,  including  the  Elec¬ 
tronic  Crimes  Task  Force,  Internet  World  and 
the  RSA  Security  Conference. 

For  starters,  Fusco  created  the  Systems 
Security  Operations  (SSO)  team  by  leveraging 
300  or  so  security  full-timers.  This  group’s 
work  is  augmented  by  the  company’s  internal 
operations,  engineering,  product  development 
and  client  services  staff,  plus  input  from 
clients— in  all,  more  than  1,000  contributors 
help  design  and  maintain  the  company’s  secu¬ 
rity  plan.  Fusco  says  this  extended  community 
helps  Digex  and  the  SSO  accomplish  the  secu¬ 
rity  agenda  without  exhausting  their  funding 
and  resources.  At  the  same  time,  with  so  many 
chefs  stirring  the  broth,  accountability  is  key. 
Every  security  system  or  process  has  an  owner 
within  Digex  who  is  responsible  for  auditing, 
upgrading  and  redesigning  his  piece  of  the 
plan.  “So  many  organizations  procure  excep¬ 
tional  security  software  and  hardware,  but 
there  is  no  one  allocated  to  ensure  the  ongo¬ 
ing  capacity  and  reliability  of  their  security 
program,”  says  Fusco. 

SSO  monitors  security  data  at  several  lev¬ 
els:  system,  application  and  network.  Round- 
the-clock  collection  and  analysis  of  audit  data 
raises  a  red  flag  if  servers  and  peripheral 
devices  on  the  company’s  network  are  experi¬ 
encing  performance  issues  or  otherwise 
behaving  irregularly.  The  team  then  corre¬ 
lates  this  data  with  internally  developed  analy¬ 
sis  techniques  in  a  database  dubbed  SecAudit, 
wdiich  contains  definitions  of  knowm  infose¬ 


curity  threats  and  vulnerabilities.  The  Sec- 
Audit  database  also  has  a  profile  of  each  server 
within  the  Digex  network  and  details  the  type 
of  operating  system  and  applications  each  is 
running. 

This  systems  and  application-layer  moni¬ 
toring  is  further  matched  to  information 
detailing  network  traffic.  Fusco  says  the  com¬ 
pany  uses  digital  forensics  and  real-time 
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network  intrusion  detection  systems,  or  IDS, 
at  all  four  of  its  worldwide  data  operation  cen¬ 
ters.  Data  from  these  monitoring  systems  is 
correlated  with  internally  developed  analysis 
techniques  and  code  that  define  known 
exploits  and  vulnerabilities.  Fusco  won't  reveal 
all  the  details  about  the  specific  weapons  in 
Digex’s  defense  arsenal,  but  she  says  the  group 
has  customized  open-source  tools  such  as 


Snort,  a  popular  IDS  used  to  identify  and  cur¬ 
tail  network  traffic  deemed  potentially  mali¬ 
cious.  The  Digex  group  has  also  written  its 
own  custom  forensics  tools. 

At  the  network  and  infrastructure  level, 
Fusco  says,  the  Digex  security  team  tracks 
data  on  the  volume  of  potential  incidents  it 
has  thwarted.  The  group  also  notes  which 
attempted  exploits  it  has  blocked  and  why, 


where  that  network  traffic  has  come  from, 
and  what  type  of  traffic  it  is,  using  IDSs  and 
data  from  the  network  switches.  Since  the 
IDSs  function  in  real-time,  she  says,  Digex 
can  compile  data  for  any  network  entry  or  exit 
point  at  any  moment.  This  approach  served 
the  company  well  when  the  SQL  virus 
emerged  earlier  this  year.  Fusco  says  her  team 
recognized  an  increase  in  attempted  attacks 
and  was  able  to  quickly  double-check  its 
defenses.  Unlike  so  many  companies,  Digex 
says  it  suffered  no  damage. 

Monitoring  isn’t  Digex’s  only  defense,  of 
course.  Standard  operating  procedure  includes 
modifying  the  default  configurations  set  by 
the  company’s  IT  vendors  to  enhance  the  secu¬ 
rity  of  everything  from  applications  to  oper¬ 
ating  systems.  The  security  team  has  designed 
“Digex  security  standard  build”  configurations 
for  Windows,  Solaris  and  Linux.  Digex  con¬ 
ducts  analysis  and  testing  on  software  pur¬ 
chased  from  other  companies  in  support  of 
patch  deployments  and  security  fixes,  and 
Fusco  says  company  engineers  will  often 
reengineer  the  products  and  disable  services 
that  violate  the  company’s  security  policies. 
Typical  changes  include  renaming  files,  re¬ 
naming  or  removing  certain  service  accounts, 
removing  services  on  the  system  that  are  not 
required  for  that  particular  system  to  func¬ 
tion,  and  disabling  file  transfer  protocol,  or 
FTP.  At  the  policy  level,  Digex  pursues  certi¬ 
fications  and  standards  such  as  BS7799. 

That’s  a  solid  foundation  on  which  to 
build,  but  Digex’s  security  tactics 
go  further.  Since  1999,  Digex  has 
also  deployed  honeypots  on  its  net¬ 
work.  Honeypots  are  lightly  defended 
systems  that  are  set  up  specifically  to  allow 
the  owner  to  spy  on  network  intruders.  A 
hacker  who  penetrates  a  honeypot  thinks  he 
has  compromised  the  network  and  may  pro¬ 
ceed  with  whatever  mischief  he  intended— 
but,  in  fact,  the  honeypot  will  block  and  record 
the  hacker’s  every  move,  whether  he  attempts 
to  copy  files  or  create  unauthorized  user 
accounts. 

Honeypots  are  less  widely  used  than  IDSs 
and  firewalls,  and  more  controversial.  Propo¬ 
nents  say  they  offer  unique  capabilities  and 
can  help  cull  through  possible  false  alerts  from 
IDSs;  detractors  say  honeypots  are  an  unnec- 
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essary  expense  and,  if  configured  carelessly, 
can  actually  create  a  vulnerable  point  in  the 
network.  Fusco  herself  agrees  that  a  company 
without  a  honeypot  can  often  gather  the 
information  it  needs  with  a  good  firewall,  IDS, 
server  logs,  and  vulnerability  and  assessment 
scans.  According  to  Fusco,  the  device  should 
restrict  access  to  other  corporate  resources 
and  networks.  Further  detection  devices  and 
an  alerting  mechanism  need  to  be  configured 
in  a  stealth  mode  on  the  honeypot  so  that  the 
security  team  can  be  alerted  without  tipping 
off  the  intruder  that  he’s  wandered  into  a  trap. 
Ironically,  Fusco  emphasizes  that  companies 
must  make  sure  that  patches  on  honeypots, 
security  platforms  and  network  IDSs  are  up  to 
date  to  ensure  that  these  machines  are  not 
compromised  in  unintended  ways.  “Some  peo¬ 
ple  patch  all  of  the  other  systems  and  forget  to 
patch  the  security  systems,”  says  Fusco.  (For 
more  on  honeypots,  see  “You  Can  Catch  More 


Spies  with  Honey,”  available  at  www.cso 
onli  ne.  com/printlinks .) 

Even  with  all  this  network  armor  in  place, 
Fusco’s  SSO  group  maintains  a  Security  Inci¬ 
dent  Response  Team  and  always  generates  an 
“after  action  analysis”  following  a  security 
event— even  one  that  was  successfully  blocked. 
"With  each  new  incident  or  attempted  exploit, 
we  improve  our  security  structure,”  says  Fusco. 
“No  one  on  this  team  is  on  a  9-to-5  mentality.” 
Daily  security  reports  are  e-mailed  to  Digex 
executives  and  key  operations  personnel,  doc¬ 
umenting  each  system’s  patch  level,  services, 
applications,  versions,  functionality,  address 
and  host  names.  The  daily  reports  are  archived 
for  historical  and  forensic  purposes,  and  the 
entire  security  lifecycle  of  each  server  is 
retained  within  a  restricted  database.  Fusco 
says  this  system  lets  the  company  capture  the 
status  of  each  system  and  provide  current,  in- 
depth  data  to  customers  and  executives. 


So  why  don’t  more  companies  take 
an  aggressive  posture  toward  infor¬ 
mation  security?  The  biggest  obsta¬ 
cle  is  simply  that  it’s  too  costly. 
Network  service  providers  live 
moment-by-moment  by  available,  airtight 
networks.  Even  in  today’s  Web-enabled  world, 
relatively  few  industries  have  the  resources  to 
throw  at  honeypots,  in-house  forensics  tools 
and  the  like. 

Black  Hat’s  Moss  says  it  typically  costs 
about  $100,000  to  set  up  and  monitor  hon¬ 
eypots.  He  also  says  dedicated  incident 
response,  legal  and  forensics  teams  are  rare, 
usually  seen  only  in  government  organiza¬ 
tions  and  banks,  which  are  required  by  law  to 
collect  this  type  of  information.  Moss  believes 
that  the  only  people  with  any  business  run¬ 
ning  honeypots  are  research  institutions,  the 
military  or  the  government;  otherwise,  he 
says,  honeypots  are  a  waste  of  time  and 


(Too)  Risky  Business 

HACKBACK— RETALIATING  IN  KIND  AGAINST  ONLINE  ATTACKERS-MIGHT  BE  A  LITTLE  TOO  AGGRESSIVE 


When  a  denial-of-service  (DOS)  attack  was  launched  against  the 
World  Trade  Organization  website  during  the  WTO  summit 
meeting  in  Seattle  nearly  four  years  ago,  Conxion  (the  WTO’s 
hosting  service)  retaliated.  Conxion  determined  that  the  attack,  con¬ 
sisting  of  a  flood  of  page  download  requests,  was  com¬ 
ing  from  a  single  IP  address  belonging  to  a  server  run 
by  a  United  Kingdom-based  group  called  the  E-Hippies 
Coalition.  Conxion  repelled  the  DOS  attack  by  telling  its 
filtering  software  to  redirect  network  traffic  coming 
from  E-Hippies’  server  back  to  the  offending  machine. 

E-Hippies  never  publicly  acknowledged  the  attack,  but 
noted  on  its  site  that  users  were  having  a  hard  time 
getting  through. 

It’s  called  hackback,  and  it’s  a  still  more  extreme  ver¬ 
sion  of  aggressive  defense.  Probably  too  extreme,  in 
fact.  Digex  CSO  Pamela  Fusco,  who  generally  advocates 
an  aggressive  defense  strategy,  says  her  company 
won’t  go  as  far  as  hackback  because  of  the  legal  risks. 

Jennifer  Granick,  executive  director  for  the  Stanford 
Law  School  Center  for  Internet  and  Society,  runs 
through  a  litany  of  those  risks:  Placing  unauthorized  code  on  a  person’s 
machine  without  his  consent— especially  if  the  code  maintains  commu- 


Jermifer  Granick,  executive 
director  for  the  Stanford  Law 
School  Center  for  Internet  and 
Society 


nications  with  a  third  party— could  violate  the  provisions  of  18  USC 
1030,  the  general  statute  forbidding  unauthorized  access  to  computer 
systems.  The  statute  is  an  outgrowth  of  the  Computer  Fraud  and  Abuse 
Act  as  modified  by  the  Patriot  Act  and  other  actions.  These  actions  can 
be  prosecuted  under  the  Computer  Fraud  and  Abuse 
Act,  the  Unlawful  Access  to  Stored  Communications  Act 
and  the  Electronic  Communications  Privacy  Act.  And 
even  if  a  company’s  honeypot  sends  out  honey  tokens, 
which  determine  what  kind  of  activities  the  alleged 
attacker  is  participating  in  on  his  own  machines, 

Granick  says  it  could  be  violating  a  host  of  privacy  pro¬ 
tections  intended  to  prevent  illegal  wiretapping. 

Granick  further  points  out  a  simple  logistical  risk 
posed  by  hackback:  Since  hackers  frequently  disguise 
their  attacks  as  coming  from  someone  else,  the  coun¬ 
terstrike  may  wind  up  hitting  an  innocent  party.  In  the 
WTO  case,  in  press  reports  at  the  time,  Conxion  said  it 
believed  it  had  a  clear  trail  back  to  the  offending  IP 
address  at  the  E-Hippies  server  allowing  it  to  reject  the 
packets  and  return  them  to  the  sender.  (NaviSite,  the 
company  which  later  acquired  Conxion,  did  not  return  calls  seeking 
comment  for  this  story.)  -A.H. 
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energy.  “You  only  have  so  many  security  dol¬ 
lars.  It  will  get  attacked  and  someone  will 
break  in,  but  [typically]  by  a  script  kiddie. 
Are  you  going  to  go  after  him  with  a  $100,000 
investment?”  asks  Moss.  “Why  not  take  that 
$100,000  and  invest  it  in  better  people  and 
become  more  secure  with  better  host-based 
security,  better  antivirus  software,  better  fire¬ 
walls.  That  gets  more  bang  for  the  buck.”  Hon- 
eypots,  he  notes,  can  create  a  variety  of 
problems,  including  potential  confusion  for 
auditors  or  managers  who  might  mistake 
them  for  a  vulnerability.  Some  administra¬ 
tors  have  been  known  to  call  a  poorly  secured 
machine  a  honeypot  just  to  protect  them¬ 
selves.  Misconfigured  honeypots  can  also  be 
taken  over  by  intruders  and  used  to  harm 
other  computer  assets.  “The  more  simple  the 
honeypot,  the  more  secure  it  is,  and  the  less 
risk  it  is  to  the  system,”  agrees  another  expert, 
Lance  Spitzner,  au  thor  of  Honeypots:  Track¬ 
ing  Hackers. 

Fusco  concedes  that  measures  such  as  hon¬ 
eypots  and  digital  forensics  are  not  appropri¬ 
ate  for  every  company.  Organizations  that 
keep  their  most  sensitive  information  on  back- 
office  networks  have  different  threat  models  to 
ponder,  she  says.  In  such  organizations,  it  is 
typically  more  critical  to  audit  user  accounts 
and  resource  logs  to  ensure  that  employees 
are  abiding  by  internal  security  policies.  Hon¬ 
eypots,  Fusco  says,  are  better  for  dealing  with 
malicious  external  threats  than  internal  policy 
infractions. 

Even  though  Digex’s  network  security 
is  mission-critical,  its  defense  funds 
are  not  unlimited.  In  fact,  as  of  this 
writing,  Digex’s  recent  financial  per¬ 
formance  has  been  poor,  and  an 
acquisition  offer  from  MCI  was  on  the  table. 
Fusco  won’t  share  the  hard  numbers  in  her 
budget  and  cost-justification  process  but  does 
say  that  the  company’s  leadership  agrees  it’s 
money  well  spent.  On  the  soft  side  of  the  ben¬ 
efits  equation,  Fusco— and  her  superiors— 
believes  proactive  information  security 
enhances  customers’  trust  in  Digex.  According 
to  Fusco,  security  issues  started  to  get  more 
board-level  attention  just  prior  to  Y2K,  when 
companies  began  to  pay  closer  attention  to 
the  security  requirements  of  their  enterprise 
clients.  Digex’s  customers,  especially  those  in 


“SOME  PEOPLE 
PATCH  ALL  OF 
THE  OTHER 
SYSTEMS  AND 
FORGET  TO 
PATCH  THE 
SECURITY 
SYSTEMS.” 

-PAMELA  FUSCO, 

CSO,  DIGEX 


finance,  e-business  and  insurance,  began  to 
challenge  Digex  to  adopt  a  strong  security 
presence,  says  Fusco.  Even  so,  turning  the  tide 
to  get  buy-in  to  enforce  and  implement  secu¬ 
rity  within  the  Digex  corporate  confines 
required  “a  dig  in  and  be  persistent  strategy,” 
says  Fusco.  Metrics  have  also  played  a  pivotal 
role.  Once  basic  monitoring  efforts  were  in 
place,  Fusco  had  ammunition,  showing  exec¬ 
utives  samples  of  daily  threats  and  intrusion 
attempts.  She  also  gave  straightforward  cal¬ 
culations  of  costs  incurred  and  avoided.  “You 
have  to  provide  them  with  the  facts  and  the 
aspects  and  the  reality  of  what  is  lurking 
around  the  corner  as  a  result  of  a  weak  secu¬ 


rity  platform— no  fluff  and  no  exaggerations,” 
Fusco  says. 

If  more  CSOs  did  so,  perhaps  aggressive 
defense  wouldn’t  be  universal,  but  it  also 
might  not  be  quite  so  rare.  ■ 

Ann  Harrison  is  a  freelance  writer  based  in  San  Francisco. 
Send  feedback  to  csoletterswcxo.com. 

More  Resources  Online 

Read  about  other  companies  that  take  an  aggressive 
approach  to  security  in  CSOonline’s  THREATS  & 
RECOVERY  RESEARCH  CEHTER.  Go  to 
www.csoonline.com/threats. 


November  2003  www.csoonline.com  49 


DUYOS 


BY  THOMAS  WAILGUM 
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Eduardo  Dardet,  the  director  of 
information  security  at  JM  Family 
Enterprises,  burned  the  midnight 
oil  in  his  company’s  llth-hour 
outsourcing  negotiations,  but  he 
didn’t  get  burned  in  the  process. 
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still  be  billed  as  desperately  trying  to  gain  celebrity  status,  continually 
relegated  to  B-level  buddy-cop  comedies  and  tired  sequels.  Never  a 
star.  Always  a  supporting  player.  But  events  more  dramatic  than  any 
screenwriter  could  have  ever  penned  have  given  CSOs  their  big  break. 
Security  awareness  is  at  an  all-time  high.  Faster,  fancier— and  less 
secure— technologies  demand  the  scrutiny  of  savvy  security  executives. 
Nervous  employees  need  comforting.  The  whole  country  is  on  alert. 
It’s  high  time  they  take  center  stage.  But  it’s  not  the  time  to  take  the 
responsibility.  At  least,  it’s  not  time  to  take  all  the  responsibility. 

In  fact,  it  is  your  job  as  CSO  to  analyze  the  vulnerabilities  your 
organization  faces  and  to  suggest  ways  to  best  mitigate  those  risks. 
Without  the  guidance  of  a  CSO,  truly  informed  decisions  are  impos¬ 
sible.  But  it’s  the  job  of  the  other  executives  who  own  the  project  to 
determine  how  much  risk— or  even  which  risks— the  business  wants 
to  take  on. 

Too  often,  however,  we  bet  you  get  caught  up  in  the  political  infight¬ 
ing  of  the  blame  game— when  IT  networks  are  compromised,  top- 
secret  project  plans  leave  the  building,  or  money  is  lost  and  the 
business  suffers.  That’s  because  it’s  easy  to  point  to  the  CSO  if  a  proj¬ 
ect  tanks  or  gets  cut  off  because  of  a  perceived  security  hole.  It’s  easy 
to  point  to  security  vulnerabilities  in  the  latest  version  of  a  product 
release  or  in  a  freshly  inked  outsourcing  deal  when,  as  a  result,  your 
company’s  competitor  scoops  up  the  potential  business. 

But  truly,  how  accountable  are  you— or  should  you  be— when  some¬ 
thing  goes  wrong?  And  for  what?  In  other  words,  where,  exactly, 
does  the  buck  stop  when  it  comes  to  making  the  decisions  that  involve 
security? 

“Security  accountability  falls  into  some  ambiguous  management 
space,”  says  Carl  Herberger,  director  of  information  security  services 
for  SunGard  Availability  Services. 

“Risk  and  business  opportunity  are  intertwined  and  must  be 
weighed  together,”  he  adds.  “Doing  so  obligates  CSOs  to  become 
great  communicators,  to  interpret  and  discuss  the  interplay  of  busi¬ 
ness  objectives,  the  range  of  potential  threats  associated  with  them  and 
the  costs  of  mitigating  those  threats.  But  it  falls  to  the  relevant  busi¬ 
ness  executive  to  make  an  informed  call  about  whether  the  risks  out¬ 
weigh  the  accompanying  opportunities.” 

There’s  no  getting  around  it:  You  will  always  be  responsible  for  pre¬ 
senting  the  risk-based  facts  as  you  see  them.  That’s  your  job.  You 
analyze  risk.  Dissect  it.  Know  it.  Own  it.  Live  it.  You  study  possibili¬ 
ties,  you  research  uncertainty,  you  ask  What  if?  Then  you  consult, 
speculate  and  study  it  more.  You  speak  in  technical  terms.  You  speak 
in  business  terms.  You  build  a  report.  And  then  you  present  your 
findings. 

In  the  end,  however,  taking  the  risk— or  not— always  boils  down  to 


one  decision,  made  by  one  person,  who  signs  his  name  on  the  dotted 
line  and  says,  “Let’s  go  for  it.” 

But  that  person  should  never  be  you. 

This  is  the  new  accountability,  and  it’s  time  you  got  on  board. 

■  ■  B 

EDUARDO  DARDET  RECALLS  the  story  with  ease.  In  fact, 
most  of  the  specifics  come  back  to  him  with  little  prodding.  He  was 
home  on  a  Friday  evening— on  the  last  day  of  May— when  the  phone 
rang.  It  was  a  call  from  work  he  hadn’t  been  expecting. 

Dardet’s  company— JM  Family  Enterprises— was  on  the  verge  of 
signing  a  multimillion-dollar  outsourcing  deal  with  a  large  software 
vendor.  Involved  in  these  after-hours  discussions  were  a  group  of 
business  heads  from  his  company  and  three  corporate  lawyers.  The 
vendor’s  representatives,  with  their  own  legal  brawn,  weren’t  agree¬ 
ing  to  one  of  JM  Family’s  established  security  clauses,  which  in  turn 
prompted  the  vice  president  of  JM  Family’s  project  management 
office  to  call  Dardet,  the  director  of  information  security.  He  wanted 
to  ask  him  one  simple  question:  Should  this  be  a  deal -breaker? 

For  Dardet  and  JM  Family,  the  13th-largest  privately  held  company 
in  the  United  States  and  a  leader  in  the  automotive  distribution 
industry,  the  pressure  to  enlist  the  vendor’s  services  was  rising.  “It  was 
very  tense,”  Dardet  recalls.  At  midnight,  the  vendor  was  going  to 
close  its  books  for  the  previous  quarter,  and  it  wanted  to  add  this  lucra¬ 
tive  sale  to  its  bottom  line.  It  was  also  a  sweet  deal  for  JM  Family— 
the  financial  incentives,  anyway,  made  it  a  no-brainer.  Which  made 
Dardet’s  job  all  the  harder.  “This  was  not  some  nice-to-have  system. 
This  was  a  core  system,”  he  says,  reflecting  on  it  now,  months  later. 
“I  thought,  Am  I  really  the  one  who  is  going  to  block  this  thing?” 

Dardet,  of  course,  had  done  his  due  diligence  beforehand.  He  had 
followed  a  rigorous  infosecurity  approval  process,  working  with  the 
company’s  procurement  department,  its  project  management  office 
and  the  company’s  in-house  and  outside  lawyers  to  hammer  out  the 
details.  To  dig  deeply  into  the  risks.  To  figure  out  potential  impact, 
develop  mitigation  strategies.  Delve  into  regulatory  and  compliance 
matters.  Simply  put,  to  do  what  he  gets  paid  for. 

But  that  phase  of  the  process  had  passed.  So  why  were  they  calling 
him  now? 

As  it  happened,  the  deal  was  hanging  on  one  infosecurity-related 
snag.  JM  Family  requires  two  main  infosecurity  clauses  as  a  standard 
part  of  its  contracts.  The  first  relates  to  a  broad  protection  of  confi¬ 
dentiality  and  integrity  of  JM  Family’s  data.  The  second  requires  the 
vendor  to  notify  JM  Family  of  any  suspected  or  known  security  breach 
that  could  in  anyway  affect  JM  Family’s  systems.  The  vendor  seemed 
to  have  a  change  of  heart;  it  wasn’t  prepared  to  comply  with  the  sec¬ 
ond  clause. 
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Which  was  a  deal-breaker  for  Dardet.  “We  were  giving  them  some¬ 
thing  of  value— our  information  to  manage,  to  support.  If  somebody 
stole  something  from  us  on  the  vendor’s  systems,  we  needed  to  know.” 

So  that  very  large  contract,  with  its  very  large  incentives,  and  one 
very  large  unanswered  question,  hung  in  the  warm  Miami  night  air 
as  Dardet  and  his  colleagues  discussed  the  particulars  over  the  phone. 
The  vendor’s  reps  waited  in  a  separate  room,  straining  for  an  answer. 
And  midnight  was  fast  approaching. 

■  ■  ■ 

FOR  DARDET  TO  EVEN  PLAY  A  PART  in  this  llth-hour 
contract  process  exemplifies  security’s  rising  prominence  in  corporate 
America.  It  wasn’t  that  long  ago  when  security  didn’t  even  have  a  place 
at  the  proverbial  table— it  was  more  like  a  seat  at  the  kids’  table.  But 
for  whatever  reason— 9/11,  computer  viruses,  workplace  shootings,  ter¬ 
ror  alerts,  war— security  has  finally  been  invited  to  dine  with  the  rest 
of  the  adults. 

“In  the  past,  [business  users]  might  go  ahead  with  a  project  with¬ 
out  consulting  us,”  says  Craig  Granger,  who  for  the  past  four  years  has 
run  the  multinational  security  operations  for  Delphi,  a  maker  of  auto¬ 
motive  mobile  electronics,  components  and  systems  technology. 
“Security  is  on  the  top  of  the  list  here  now,  and  our  peers  in  corporate 
come  to  us.” 

While  Granger  and  many  other  security  executives  devote  a  big  part 
of  their  job  to  building  awareness  of  security  issues,  they’ve  also  real¬ 
ized,  ironically,  that  raising  user  knowledge  allows  the  CSO  to  shift  a 
part  of  the  heavy  accountability  load  to  business  peers,  end  users  and 
pretty  much  anyone  else  working  behind  the  company  logo.  “In  this 
climate,  everybody  has  a  heightened  awareness,”  Granger  says.  “Now, 
more  of  the  security  emphasis  is  on  people.  It’s  their  responsibility,  not 
just  mine.” 


Mary  Ann  Davidson,  CSO  at  Oracle,  also  thinks  it’s  important  to 
share  accountability  with  others  in  the  company.  “I  don’t  want  to  be 
the  policeman,”  she  says.  “If  people  think  risk  is  the  security  person’s 
job,  then  I’ve  failed.” 

How  Granger,  Davidson  and  other  CSOs  raise  the  corporate  secu¬ 
rity  IQ  will  determine  the  outcome  of  today’s  culture  clash.  Part  of  the 
battle  is  fought  in  the  field— pressing  the  flesh  with  execs,  developing 
an  omnipresent  security  policy  and  educating  every  employee  on 
process  management.  Granger,  for  one,  speaks  at  business  group 
meetings  and  consults  with  Delphi’s  executive  officers.  He  attends 
strategy  meetings  with  top  execs  and  governance  board  meetings 
with  his  vice  president  and  regional  and  divisional  CIOs,  and  man¬ 
dates  that  all  new  employees  take  a  security  course  and  undergo 
training. 

When  Granger  first  arrived  at  Delphi,  he  laid  out  a  charter  detail¬ 
ing  the  specifics  and  differences  between  his  responsibilities  and 
those  of  corporate. 

Granger  says  he  and  his  charter  were  well-received.  It  defined  the 
global  security  policy  at  Delphi.  Considerable  effort  has  been  spent 
ever  since  spreading  a  “strong  infosec  policy  that’s  published  every¬ 
where,”  Granger  says.  And  not  just  to  users  but  to  executive  officers 
through  a  high-level  governance  board.  “Here,  people  can’t  say  that 
they  aren’t  aware  of  the  policy,”  he  says.  “The  charter  has  greatly 
enhanced  our  visibility  and  security  awareness  here.  They  know  who 
we  are.” 

But  it’s  not  solely  about  getting  the  word  out,  he  adds.  It’s  how  you 
speak  the  word  and  how  it’s  received.  It  comes  down  to  developing 
trust  with  your  peers.  Which  lets  them,  in  turn,  feel  all  the  more  com¬ 
fortable  shouldering  some  of  the  accountability  burden. 
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THE  SILENT  TENSION  FOR  DARDET  and  his  colleagues 
was  palpable  over  the  phone  lines.  This  was  an  important  deal  for  JM 
Family.  But  equally  important  to  Dardet  was  knowing  that  the  second 
clause  was  intact. 

The  JM  Family  negotiation  team— the  business-side  executive  on 
the  deal,  a  procurement  person,  JM  Family’s  corporate  lawyer  and  two 
external  lawyers— wanted  more  from  Dardet.  The  group  played  out, 
over  and  over  again,  the  ramifications  of  signing  the  deal  without  the 
second  clause  in  place.  They  talked  about  risk  and  reward.  Was  this 
a  manageable  risk?  Was  the  reward  worth  it? 

On  the  one  hand,  the  lawyers  felt  they  had  sufficient  protection  even 
if  they  didn’t  get  the  second  clause  from  the  vendor.  Dardet,  however, 
was  focused  on  the  other  hand.  “The  deal  may  have  worked  legally,  but 
[the  protection]  was  very  obscure,”  he  says.  “I  don’t  care  whether  it’s 
legally  good  or  bad.  I  wanted  it  clear.” 

Dardet  said  his  part  one  last  time.  Specifically,  he  was  less  worried 
about  the  legalese  of  the  whole  affair  and  more  concerned  with  living 
with  this  deal— taking  care  of  the  day-to-day  security  matters— after 
midnight  came  and  went.  “They  all  knew  my  position,”  he  says.  “They 
knew  what  I  was  asking  for.” 

Still,  JM  Family  seemed  to  be  waffling,  while  the  vendor’s  repre¬ 
sentatives  were  standing  firm. 

■  ■  ■ 

AT  NORTEL  NETWORKS,  Timothy  Williams,  vice  president  of 
corporate  security  and  systems  for  the  network  communications 
provider,  tends  to  lean  on  relationships  and  solid  security  processes 
when  he  talks  about  accountability.  “The  key  to  accountability  is 
process  management,”  Williams  says.  “Security  is  no  different  than  any 
other  process  or  function,  and  how  we  handle  business  events  devel¬ 
ops  credibility.” 

Process  management,  with  a  clearly  defined,  easy-to-follow  set  of 
guidelines  for  handling  security  matters,  is  another  way  CSOs  can 
manage  accountability.  Along  with  raising  awareness,  process  man¬ 
agement  can  reinforce  the  expectations  that  the  security  department 
has  for  everyone.  “Fundamentally,  security  is  a  process.  That  means 
that  it  is  not  a  tool;  it’s  not  a  piece  of  hardware  or  software,”  says  Sun- 
Gard’s  Herberger.  “It  is  about  your  risk  tolerance.  About  your  com¬ 
pany’s  culture.  And  there’s  no  way  that  it  can  be  solely  with  one  staff 
function.” 

At  Nortel,  Williams  tries  to  involve  as  many  different  functions  in 
his  security  process  as  possible.  He  works  with  members  from  vari¬ 
ous  cross-functional  groups— with  internal  audit  and  the  insurance 
group,  for  example.  Deeper  within  his  security  process,  you’ll  find 
three  core  elements:  risk  assessment,  enterprisewide  collaboration  and 
strategic  planning.  Williams  staffs  his  department  with  people  who 
come  from  a  variety  of  different  areas— systems  security  engineers,  of 
course,  and  global  thinkers,  a  leadership  team  with  MBAs,  and 
subject-matter  experts  who  can  “cut  across  security  and  think  in 
terms  of  the  whole  organization,”  he  says.  As  part  of  the  process,  he 
and  his  team  continually  assess  and  reassess  all  of  their  client  groups’ 
needs  and  vulnerabilities.  They  use  eight  matrices  in  looking  at  each 
operational  area,  whether  it  is  a  new  proposal  or  a  system  overhaul. 
“I  own  the  process,”  Williams  says  confidently.  “There  are  a  number 


of  processes  here  that  have  my  team’s  signature  on  them.”  But,  he  and 
other  CSOs  add,  all  of  the  security  processes  should  have  everyone 
else’s— including  the  business  execs’— signatures  on  them  as  well. 

If  and  when  it’s  needed,  Williams  also  has  a  process  that  takes 
care  of  follow-up  and  investigation— when  something  goes  wrong 
and  fingers  start  to  point.  Though  Williams  won’t  discuss  the  specifics 
of  anything  that  actually  has  gone  wrong  at  Nortel,  hell  use  the  exam¬ 
ple  of  a  breached  network  to  describe  what  he  would  do.  If  something 
happens,  he  says,  he  and  his  team  members  will  go  back,  review  the 
situation  and  ask,  What  did  we  miss?  Should  we  have  better  pre¬ 
pared?  Then  he’ll  go  back  to  his  strategy  and  reassess  that.  “For  secu¬ 
rity  events  that  do  occur,  you  have  to  review  them  carefully  and 
quickly,”  he  says.  “If  it  was  wrong  in  the  way  that  it  was  handled,  then 
that’s  my  responsibility.”  He  also  gets  out  and  solicits  feedback  about 
crises  from  all  levels  of  the  organization.  He  talks  about  security 
events  and  presents  findings  to  senior  leadership— thereby  raising 
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awareness  and  promoting  his  processes 
at  the  same  time. 

He  says,  above  all,  that  his  business 
peers  at  Nortel  want  his  group  to  main¬ 
tain  value  and  independence  in  every¬ 
thing  that  it  does  and  to  protect  the 
drivers  of  the  business.  Simply  stated, 
Williams  says  CSOs  need  to  “do  strat¬ 
egy— and  execution— well.”  Which  is 
no  small  task. 


A  CLASSIC  CASE  of  risk  versus 
reward  was  staring  down  at  Dardet  and 
his  business  and  legal  colleagues. 

Just  after  midnight,  the  final  deci¬ 
sion  was  made  by  the  business  head,  Stephen  Don- 
aghy,  the  vice  president  of  the  project  management 
office,  to  go  forward  with  the  contract.  Ultimately, 
he  and  the  three  lawyers  felt  that  other  general  pro¬ 
visions  in  the  contract,  which  required  the  vendor  to 
adhere  to  JM  Family’s  security  policies  and  notify 
JM  Family  if  a  breach  actually  did  occur,  were 
enough  of  a  safeguard  against  future  problems. 

In  retrospect,  Dardet  speaks  confidently  about 
the  conversations  they  had  that  night.  He’s  pleased 
that  his  business  peers  were  debating  infosecurity 
concerns  with  him  before  a  final  decision  was  made. 

Although  Dardet  is  comfortable  with  the  deci¬ 
sion,  he’s  quick  to  classify  this  drama  as  a  “very  spe¬ 
cial  case  due  to  the  financials  associated  with  it.”  In 
the  end,  the  risk/reward  equation  ended  in  a  “Let’s 
go  for  it.”  And  though  he  played  a  serious  role  in  the 
negotiations,  Eduardo  Dardet  did  not  make  the  final 
call.  And  that’s  fine  with  him. 

■  ■  • 

AS  MUCH  AS  ACCOUNTABILITY  has  to  do 
with  awareness  and  process,  it  also  has  as  much  to 
do  with  relationships.  That  means  that  CSOs  cannot  simply  hole  up 
in  the  security  department  and  send  out  e-mail  policy  reminders 
from  time  to  time.  CSOs  need  to  put  a  face  on  the  security  department. 
Their  face.  And  if  they  can  build  trust  and  credibility  with  their  peers, 
other  executives  will  feel  that  much  more  comfortable  signing  their 
names  on  the  dotted  line. 

But  most  CSOs  will  advise  you  to  get  to  know  the  business  and  to 
show  your  business  peers  that  you  think  business  first,  security  sec¬ 
ond.  “CSOs  have  to  be  an  enabler  rather  than  an  obstructionist,”  says 
William  Besse,  who’s  in  charge  of  the  physical  security  for  Belo,  a  large 
media  company  with  businesses  in  print,  broadcast  and  interactive 
media.  “CSOs  can  mandate  what  to  do,  but  they’ll  leave  [the  security 
function]  out  of  the  process  if  you  don’t  understand  their  business 
problems.” 

Dardet  agrees.  “We  have  to  give  them  something  that  they  can 
make  a  judgment  about,”  he  says.  But  he  stresses  that  you  have  to  be 
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clear  about  the  business  specifics— to  know  exactly  how  the  security 
issues  relate  to  the  businesspeople  and  their  decisions.  “If  you  don’t 
have  that,  the  business  head  will  say,  Well,  do  you  think,  or  do  you 
know?’”  he  says.  And  a  CSO  should  always  know. 

Besse  is  a  huge  believer  in  getting  to  know  all  facets  of  the  busi¬ 
ness  side.  He  says  he  takes  on  a  more  consultative  role,  although  he 
acknowledges  that  the  decision-making  part  of  the  accountability 
equation  rests  most  definitely  with  the  business  function  head.  “At 
the  end  of  the  day,  the  business  manager  is  the  one  to  make  a  deci¬ 
sion,  and  he  has  to  have  the  ability  to  make  those  calls,”  Besse  says. 
That  ability  comes  from  CSOs  getting  on  the  business  executives’ 
agenda  to  show  them  how  security  can  help  them.  “Business  units  are 
different  from  each  other,  so  you  have  to  work  with  each  one,”  he  says. 
“The  people  there  will  eventually  begin  to  understand  how  security 
can  help  them.” 

When  it  comes  to  actually  working  with  your  business  colleagues, 
Delphi’s  Granger  cautions  that  CSOs  should  not  get  too  technical 
with  their  executive  brethren,  or  bog  them  down  in  what  he  calls  the 
nitty-gritty  of  security.  ‘You  need  to  keep  it  at  a  high  level,”  he  says. 
“You  have  to  keep  your  eye— and  theirs— on  the  big  picture.” 

Though  it’s  clear  that  most  CSOs  would  rather  not  speak  of  tales  of 
security-gone-horribly-wrong,  they’re  quite  capable  of  talking  about 
what  they  would  do  if  fingers  start  pointing  and  name-calling  com¬ 
menced.  They  consistently  use  phrases  like  “follow-up  meetings,” 
“after-the-fact  strategy  sessions,”  “future  mitigation  steps.” 

But  blame?  No.  These  CSOs  take  the  high  road  when  it  comes  to 
accountability— in  their  brief  rise  in  prominence,  they  have  learned 
well.  “Security  is  a  silent  partner.  There’s  not  a  great  deal  of  bravado,” 
says  Nortel’s  Williams.  “We’re  not  here  to  affix  the  blame  but  to  fix  the 
process.”  ■ 

E-mail  feedback  to  Thomas  Wailgum  at  twailgumicxo.com. 


How  Accountable  Are  You? 


Tell  us  how  accountability  is  shared  at  your  company.  Type  the  DocID  number  (above)  into 
the  search  box  at  www.csoonline.com  and  add  a  comment  to  this  article  online. 
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Technologies^  Tools 
and  Tactics 


Howto  Secure  Web  Services 

The  next  new  (vulnerable)  thing  By  Simson  Garfinkel 


ECURING  WEB  SERVICES  IS  EASY: 
All  you  have  to  do  is  secure  your  Web  server, 
secure  every  message  flowing  in  and  out  of 
your  sewer,  secure  every  application  that  has 
anything  to  do  with  SOAP  and  XML,  and 
secure  the  business  operations  and  practices 
driving  the  whole 
thing. 

OK,  OK.  So 
securing  Web 
services  isn’t  that 
easy— in  fact,  it’s 

downright  difficult.  So,  in  the  traditional 
fashion  of  software  development— 
where  the  market  demands  features 
now  and  security  later— many  busi¬ 
nesses  are  tempted  to  deploy  Web  serv¬ 
ices  that  aren’t  tremendously  secure 
(and  many  probably  do). 

In  one  sense,  it  could  be  argued  that 
that  isn’t  so  terrible.  Most  of  the  poten¬ 
tial  security  problems  with  Web 
services  won’t  immediately  be 
found  by  people  with  automated 
scanning  tools  if  they’re  not  yet 
trained  to  find  the  problems.  But 
Web  services  security  holes  can 
be  easily  exploited  by  knowledgeable 
insiders— people  interested  in  hacking  for 


revenge  or  monetary  gain.  The  insider  threat 
is  always  at  least  as  serious  as  the  anony¬ 
mous  hacker  threat.  So  ultimately,  it  pays  to 
properly  secure  these  services. 


Since  Web  services  is  built  on  top  of  a  Web 
server,  the  first  step  in  securing  Web  services 
is  to  secure  the  server  itself.  Vulnerabilities 
have  been  found  during  the  past  year  in  both 
Microsoft  IIS  and  the  Apache  Web  server.  So 
no  matter  which  Web  server  you  run,  make 
sure  you  have  installed  all  of  the  necessary 
security  updates. 

Next,  audit  your  server  so  there  are  no 
unauthorized  or  legacy  CGI,  ASP  or  PHP 
scripts.  Confirm  that  raw  scripts  can’t  be 
downloaded  by  people  on  the  Internet.  If 
your  Web  service  is  based  on  a  database, 
make  sure  that  the  scripts  don't  contain 
user  names  and  passwords.  Instead,  put 
that  information  in  a  separate  file  that’s 
read  by  each  script  when  it  starts  up. 
Among  other  things,  that  will  make 
changing  your  passwords  on  a  reg¬ 
ular  basis  easier. 

Making  Connections 

After  you  secure  your  Web 
server,  you  need  to  worry 
about  how  your  Web 
services  clients  are 
going  to  connect  to  it. 
Are  you  going  to  be 
making  anonymous  Web 
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services  available  over  the  Internet,  or  do 
you  intend  to  use  Web  services  for  high-value 
transactions  with  your  customers  and  sup¬ 
pliers?  If  money  or  business  reputation  or 
potentially  confidential  information  is 
involved  with  your  Web  services,  you’ll 
almost  certainly  want  to  combine  some  form 
of  authentication— to  validate  your  incoming 
connections— with  some  form  of  encryp¬ 
tion— to  prevent  unauthorized  snooping  on 
the  actual  transactions. 

If  you  search  for  “securing  Web  services” 
on  the  Microsoft  product  support  website, 
you’ll  get  a  nice  set  of  articles  on  how  to  con¬ 
figure  your  Web  server  for  the  SSL  encryp¬ 
tion  standard  and  how  to  install  an  SSL 
certificate. 

There’s  also  a  great  article  by  Matt  Powell 
titled  “Defending  Your  XML  Web  Service 
Against  Hackers.”  Key  issues  that  Powell 
addresses  are  spoofing,  denial-of-service 
attacks  and  exploitable  bugs. 

Powell  points  to  two  issues  to  consider 
when  creating  Web  services:  buffer  overflows 
and  SQL-injection  attacks.  Buffer  overflows 
are,  of  course,  one  of  the  most  common  secu¬ 
rity  problems  on  the  Internet  today.  They 
happen  because  a  programmer  has  written  a 
piece  of  code  that  assumes  some  piece  of  data 


will  never  be  longer  than,  say,  256  characters. 

To  exploit  the  bug,  an  attacker  provides  a 
block  of  data  that’s  much  longer— say,  1,034 
characters.  Most  of  the  attacker’s  data  is 
garbage,  but  at  the  block  is  a  small  program. 
Because  of  the  way  the  C  programming  lan¬ 
guage  is  implemented,  the  attacker’s  pro¬ 
gram  can  end  up  being  executed  by  the  Web 
server  itself,  giving  the  attacker  complete 
control  of  your  system.  Avoid  the  problem  by 
having  your  programmers  assiduously  check 
the  length  of  every  string  read  over  the  net¬ 


work— or  by  programming  in  Java,  a  lan¬ 
guage  that  doesn’t  have  buffer  overflows. 

Talking  Points 

SQL-injection  attackers  are  more  subtle. 
Short  for  structured  query  language,  SQL  is 
the  standard  language  for  communicating 
with  structured  databases.  Most  database- 
driven  Web  services  use  information  pro¬ 
vided  by  the  Web  services  client  to  create 
SQL  statements.  But  if  the  application  devel¬ 
oper  isn’t  careful,  a  malicious  client  can  put 
actual  SQL  commands  into  the  data  stream. 
Unless  the  application  developer  specifically 
quotes  or  otherwise  removes  special  charac¬ 
ters  from  the  data  stream,  those  commands 
can  be  passed  along  to  the  database. 

Even  if  you  have  a  secure  Web  server  and 
a  secure  Web  services  application,  it’s  impor¬ 
tant  to  remember  that  many  of  these  services 
are  nothing  more  than  glorified  order-entry 
systems.  Unless  you  have  additional  controls 
on  those  orders,  you  can  run  into  more  tra¬ 
ditional  security  problems.  Guard  against 
them! 

For  example,  many  businesses  have  some 
kind  of  fraud-detection  system  running  on 
their  credit  card  processing  engine,  which 
means  that  suspicious-looking  transactions 


are  blocked  until  they  can  be  manually 
reviewed.  If  you  are  accepting  XML-enabled 
purchase  orders  through  a  Web  services  appli¬ 
cation,  you  should  have  suitable  antiffaud  sys¬ 
tems  in  place  on  the  Web  service  as  well. 
Simple  systems  establish  a  maximum  number 
of  dollars  and  transactions  per  customer  per 
month,  and  prohibit  certain  items  to  be  sent  to 
certain  geographical  regions  (such  as  Nige¬ 
ria)  without  explicit  authorization. 

Web  services  are  increasingly  being  used 
for  complicated  business  negotiations,  trans¬ 


actions  and  even  outsourced  information 
processing.  Already  some  Web  services  pro¬ 
vide  credit  rating,  credit  scoring  and  loan 
application  processing.  Typically  these  are 
business-to-business  applications  that  are 
used  to  enable  consumer-facing  Web  servers 
operated  by  commercial  banks. 

Subject  to  Change 

Alas,  as  companies  use  Web  services  for 
increasingly  complex  business  transactions, 
they’re  going  to  be  covered  by  negotiated  legal 
agreements  written  in  English.  And,  like  all 
legal  agreements,  they’ll  be  subject  to  change. 
That  can  mean  problems  for  companies  that 
want  to  rely  on  information  exchanged  over 
Web  services.  In  other  words,  a  credit  score  of 
580  might  mean  something  different  in  Jan¬ 
uary  than  it  did  last  July. 

Is  the  fact  that  different  Web  services 
results  can  have  differing  interpretations  a 
security  issue?  Probably  not.  But  in  all  likeli¬ 
hood,  that  issue  is  going  to  be  solved  using  the 
same  mechanism  as  many  security  issues— 
that  is,  through  the  use  of  digital  signatures. 

For  example,  a  Web  services  request 
would  include  the  URL  of  the  legal  agree¬ 
ment  under  which  the  request  is  made,  and 
perhaps  a  cryptographic  hash  or  digital 
signature  of  that  agreement,  just  so  that  the 
client  and  the  server  can  both  be  in  harmony 
as  to  which  legal  agreement  is  in  force.  Such 
issues  will  become  even  more  important  as 
companies  begin  to  use  the  same  Web  serv¬ 
ices  to  offer  different  services  to  different 
partner  organizations  under  different  terms 
and  conditions. 

Many  SOAP  (simple  object  access  proto¬ 
col)  and  XML  security  issues  are  being 
addressed  by  the  World  Wide  Web  Consor¬ 
tium’s  XML  Signature  and  XML  Encryption 
projects,  and  by  the  Organization  for  the 
Advancement  of  Structured  Information 
Standards  SOAP  Message  Security  standard. 
Essentially,  these  standards  provide  for  a 
uniform  way  of  assigning  time  stamps  to 
messages,  to  prevent  replay  attacks;  of  com¬ 
puting  cryptographic  hashes  of  SOAP  mes¬ 
sages,  to  protect  their  integrity;  of  digitally 
signing  the  messages,  to  establish  their 
authorship;  and  of  encrypting  the  messages, 
to  prevent  eavesdropping  as  the  messages 
are  sent  over  the  Internet. 

Observant  readers  will  note  that  several  of 


Of  course,  you  can  deploy  completely 
useful  Web  services  using  only  basic  user 
name  and  password  authentication,  no 
encryption— and  never  have  a  single  security 
problem.  But  if  you  are  that  reckless,  be  sure 
to  keep  it  a  secret. 
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the  goals  of  the  standard— specifically  encryp¬ 
tion  and  digital  signatures— are  already  pro¬ 
vided  by  Web  servers  that  require  SSL 
encrypted  client-side  certificates.  The  advan¬ 
tage  of  creating  a  new  signature  standard  for 
Web  sendees  is  that  SSL  protects  only  the 
transmission— it  doesn’t  actually  protect  the 
data.  With  XML  signatures  or  SOAP  Message 
Security,  the  digital  signature  remains  as  part 
of  the  SOAP  message  and  can  be  verified 
again.  You  can  find  out  more  information 
about  these  standards  at  www.w3.org  and 
www.  oasis-open.  org. 

Of  course,  you  can  deploy  completely  use¬ 
ful  Web  sendees  using  only  basic  user  name 
and  password  authentication,  no  encryp¬ 
tion— and  never  have  a  single  security  prob¬ 
lem.  But  if  you  are  that  reckless,  be  sure  to 
keep  it  a  secret. 

Finally,  a  Plea 

When  a  spate  of  mass-mailing  computer 
worms  and  viruses  hit  this  past  August,  my 
e-mail  inbox  was  flooded.  But  my  inbox 
wasn’t  filled  with  copies  of  a  virus;  it  was 
filled  with  e-mail  messages  from  antivirus 
systems  all  over  the  world  telling  me  that  I 
had  sent  them  a  virus,  and  that  the  message 
had  been  filtered. 

My  computer  was  never  infected  with  a 
virus.  Other  people’s  computers  were  in¬ 
fected,  but  they  were  sending  e-mail  mes¬ 
sages  with  faked  “from”  addresses.  Years  ago 
it  made  sense  to  send  e-mail  to  people  who 
were  sending  out  virus-infected  e-mail 
messages.  But  those  days  have  long  passed. 
Today  the  vast  majority  of  worms  and  viruses 
fake  the  return  address.  Antivirus  systems 
that  send  out  notification  e-mail  messages 
merely  compound  the  problem. 

On  one  day  I  received  more  than  200  of 
these  notification  messages— messages  that 
were  supposed  to  be  helpful.  And  I  was  one 
of  the  lucky  ones;  someone  I  know  from  the 
MIT  Media  Lab  received  more  than  2,300 
messages  in  one  24-hour  period.  If  your  com¬ 
pany’s  antivirus  system  is  set  up  to  send  these 
notification  messages,  please  change  the  con¬ 
figuration.  Otherwise,  your  antivirus  system 
is  just  making  the  problem  worse.  ■ 

Simson  Garfinkel,  CISSP,  is  editor-at-large  for  CSO.  He  is 
the  founder  of  Sandstorm  Enterprises,  a  computer  security 
tools  company.  Reach  him  at  machineshop  a cxo.com. 


Convergence  Competition 


IBM  and  GE  Interlogix  announced  in  mid-September 
that  they’ll  integrate  the  latter’s  Facility  Commander 
building  access  security  technology  with  the  former’s 
Tivoli  enterprise  management  software.  The  idea  is 
to  be  able  to  correlate  and  manage  both  network 
and  physical  security  from  one  console.  Think  access 
cards,  badge  readers,  network  intrusion  detection 
systems  and  network  directory  tools  all  working  in 
harmony. 

The  IBM-GE  partnership 
provides  yet  another  exam¬ 
ple  of  the  converging  worlds 
of  physical  and  cybersecu¬ 
rity;  in  fact,  a  direct  com¬ 
petitor  has  beaten  them  to 
the  punch  in  integrated 
access  control  specifically. 

In  July,  Computer  Associ¬ 
ates  (CA)  announced 
its  eTrust  product  suite 
combining  physical  access 
control  with  network  access 
control.  Like  IBM,  CA  indi¬ 
cates  that  it  intends  to  accomplish  its  aim  through 
partnerships.  CA  is  the  founding  member  of  the  Open 
Security  Exchange  (OSE),  a  multivendor  partnership 
working  on  an  IT-physical  security  integration  standard 
with  the  pithy  title  “Physbits."  (See  Briefing,  July 
2003,  for  more  about  OSE's  launch.)  Other  founding 
members  in  the  OSE  include  Tyco  Fire  &  Security’s 
Software  House  and  HID  Corp.  The  group  added  more 
members  in  October,  along  with  new  advisory  board 
members  from  research  company  Forrester  Research 
and  consultancy  Sandra  Jones  and  Co.,  whose  charge 
is  to  help  ensure  neutrality  for  the  OSE  (which  has  a 
relationship  with  IEEE-IST0,  a  standard-setting  body 
affiliated  with  IEEE). 

But  as  Chris  Christiansen  points  out,  combined 
access  control  of  this  sort  predates  the  CA  announce¬ 
ment  as  well.  Christiansen  is  program  vice  president 
of  e-business  infrastructure  and  security  software  at 
IDC  (a  sister  company  of  CSO’s  publisher).  He  says 
integrated  cyber-  and  physical  access  control  has  been 
practiced  by  governments  here  and  abroad  for  many 
years.  “Pretty  much  all  of  the  major  U.S.  defense 
contractors  have  a  custom  or  semicustom  solution 
for  taking  this  integrated  approach,”  he  says.  Over¬ 
seas,  antiterrorism  concerns  have  been  a  big  driver, 
as  nations  such  as  Germany  and  Spain  have  dealt  for 
decades  with  national  terrorist  factions.  “What’s 
new  here  is  IBM’s  and  CA’s  productization  and  their 
commendable  effort  to  drive  acceptance  by  a  broader 


sector,"  Christiansen  says.  “I  think  it’s  a  fundamentally 
good  idea.”  For  example,  the  ability  to  correlate 
who’s  in  the  building  with  who's  on  the  network 
makes  it  much  more  difficult  for  rogue  employees  to 
run  amok  on  the  network  using  a  coworker’s  pilfered 
password.  That’s  not  to  say  it’s  impossible-but 
more  difficult. 

IBM  and  GE  Interlogix’s  intention  to  go  their  own 
road,  rather  than  join  forces  with  the  OSE,  may  prove 


helpful  or  harmful  to  the  spread  of  this  type  of  integra¬ 
tion.  Regardless,  Christiansen  says  that  vendor 
competition  is  less  of  an  obstacle  than  the  oft-noted 
cultural  rift  between  the  IT  and  corporate  security 
groups.  “I've  been  sounding  people  out  on  this  concept 
in  the  field,  and  while  I  hear  a  begrudging  acceptance 
of  the  logic  behind  the  idea,  you  can  also  see  an 
emotional  rejection.  If,  for  example,  you  tell  the 
‘physical  security  people’  that  you’re  moving  them 
onto  the  IT  network  and  making  them  beholden  to 
the  ‘geeks’  in  any  way,  they  don’t  care  for  that,” 
Christiansen  says. 

Find  It  Online 

Computer  Associates  www.ca.com 
Forrester  Research  www.forrester.com 
GE  Interlogix  www.ge-interlogix.com 
HID  Corp.  www.hidcorp.com 
IBM  www.ibm.com 
IDC  www.idc.com 
Open  Security  Exchange 
www.  opensecurityexchange.  com 
Sandra  Jones  and  Co.  www.sjandco.com 
Tyco  Fire  &  Security  Software  House 
www.swhouse.com 
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Policy  Police 


porting  infosec  policies.  Nimda— and  a  few  other  wake- 
up  calls— has  changed  that  for  some  because  multiple- 
attack  vectors  whacked  enough  critical  business  processes 
to  bring  new  meaning  to  the  concept  of  “intense 
displeasure”  to  business  managers. 

“Hmmm,”  says  the  CEO,  finally.  “If  we  have  a  policy  on 
this,  maybe  we  need  to  be  more  forceful  in  enforcing  it.” 

Eureka. 


It’s  easy  enough  to  write  a  security  policy,  but  the  devil’s  in 
the  details  when  you  start  talking  about  enforcement 

By  Anonymous 


DON’T  KNOW  ABOUT  where  you  work,  but  in  most  places  policy  is  a 
four-letter  word.  Management,  especially,  tends  to  bristle  at  the  notion.  “That’s 
not  the  way  we  do  things  around  here,”  they’ll  say.  Or,  “We  don’t  need  a  policy. 
We’ve  got  bright  people  who  will  automatically  want  to  do  the  right  thing.”  Or  how 
about,  “I  hired  you  to  influence  and  to  lead.  If  you  have  to  rely  on  a  piece  of  paper 
to  get  things  done,  maybe  I’ve  hired  the  wrong  guy.” 

Nevertheless,  I’m  someone  who’s  bullish  on  security  policy  for,  I  think,  all  the 
right  reasons.  Because,  for  one,  it 
frames  our  work  as  CSOs.  And 
because  it  also  provides  a  hook  to 
the  resources  we  CSOs  require.  I’ve 
worked  long  and  hard  over  the 
years  to  develop  a  solid  security 
policy  at  my  organization,  and  I’ve 
had  some  luck  getting  senior  man¬ 
agement  buy-in. 

I  even  gave  a  presentation  on 
security  policy  at  a  security  confer¬ 
ence  a  year  or  so  ago.  As  I  prepared 
my  pitch,  I  couldn’t  help  but  won¬ 
der  what  the  sponsors  were  hoping 
for.  I  mean,  it  was  about  boring, 
bureaucratic  B.S.  (and  that’s  not  a 
college  degree,  by  the  way). 

Well,  as  it  turned  out,  it  topped 
the  hit  parade  in  the  participant 
evaluations,  and  I  still  get  requests 
for  copies  of  the  presentation  today. 

I’m  quite  sure  that  it  wasn’t  my 
phenomenal  charisma  that  made 
such  an  impression,  so  I’ve  circled 
back  more  than  a  few  times  to  learn 
why  people  care  about  policy. 

One  CSO  in  particular  was 
interested  in  learning  how  I  had 

approached  the  enforcement  part  of  policy.  And  as  I  started  to  dig  in  to  what  I 
thought  was  familiar  land,  I  hit  a  rock.  While  it’s  easy  to  spout  off  about  the  way 
things  ought  to  work,  it’s  another  thing  altogether  to  try  to  tell  someone  how  to 
enforce  the  rules.  Policy  policing,  it  turns  out,  is  not  as  easy  as  it  sounds. 

Many  chief  information  officers  and  others  at  the  top  pay  only  lip  service  to  sup- 


History  Lesson 

My  dictionary  defines  policy  as  “a  plan  or  course  of  action 
as  of  a  government,  political  party  or  business  designed 
to  influence  and  determine  decisions,  actions  and  other 
matters.”  Now,  believe  me,  I’m  all  about  influence.  But 
determining  decisions  and  actions?  That’s  another  mat¬ 
ter.  In  fact,  it’s  one  hell  of  a  stretch. 

Think  about  the  evolution  of  corporate  security  policy. 
Several  decades  ago,  it  was  pretty  straightforward,  although 
it  wasn’t  very  visible  from  a  business  process  perspective. 
We  had  the  basic  framework  aimed  primarily  at  manag¬ 
ing  a  baseline  security  pro¬ 
gram  such  as  physical  access, 
notification  protocols,  safety 
and  perhaps  some  directives 
that  emerged  from  an  incident 
or  event  of  note. 

And  then  Al  Gore  invented 
the  Internet.  Do  you  suppose 
he  had  imagined  the  poten¬ 
tial  for  doing  business  on  such 
a  highway?  Did  any  of  us 
imagine  how  insecure  it  would 
be?  How  about  we  put  this 
incredible  facility  on  our  desk¬ 
tops?  Who  would’ve  thunk 
some  idiot  would  send  unin¬ 
vited  trash  to  colleagues?  It’s 
clear  that  we  most  certainly 
need  some  business  rules  and 
other  safeguards  around  this 
channel. 

The  past  dozen  or  so  years 
have  been  manna  from  heaven 
for  policy  partisans  every¬ 
where,  what  with  the  (contin¬ 
uing)  influence  of  the  lawyers 
and  insurance  carriers  and 
employment  laws.  There  was 
an  explosive  integration  of  technology  in  core  business 
processes  and  the  resulting  risks  to  intellectual  property 
and  business  continuity.  Add  to  that  the  Corporate  Sen¬ 
tencing  Guidelines,  a  plethora  of  industry-specific  regu¬ 
lations,  privacy,  the  Patriot  Act,  Sarbanes-Oxley,  anthrax, 
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Sars,  terrorism  threats.... 

We’ve  got  to  have  an  envelope  of  policies 
and  procedures  with  all  that  potential  for 
disaster,  don’t  we?  You  bet. 

Details,  Details 

There  are  four  parts  to  governance  from  my 
perspective: 

■  Identifying  and  communicating  risk— 
What’s  the  problem? 

■  Creating  an  accepted  policy  and  guid¬ 
ance  infrastructure— What  do  we  expect 
accountable  parties  to  do? 

■  Developing  processes  to  monitor  con¬ 
formance  with  policy— How  do  we  know  we 
are  successful? 

■  Preparing,  when  the  controls  fail, 
response  capabilities— If  it  hits  the  fan,  who 
will  do  what  to  mitigate  it? 

Assessing  compliance  is  not  the  problem. 
Not  surprising,  policy  compliance  in  the 


accountability.  They  establish  a  legal  frame¬ 
work,  spelling  out  what  is  and  isn’t  permit¬ 
ted.  They  define  how  management  will 
govern.  They  provide  direction  to  our  security 
strategy  and  architecture.  But  when  do  you 
stop  selling  and  start  punishing?  And  who 
authorizes  you  to  do  so? 

Which  brings  us  to  the  first  of  five  lessons 
for  my  CSO  friends. 

LESSON  ONE.  The  enforcement  of  policy 
should  be  directly  connected  to  the  conse¬ 
quences  of  inaction.  In  other  words,  you  need 
to  create  consequences  for  not  actively  fol¬ 
lowing  the  company’s  policy.  You  need  to 
punish  the  yahoos  who  don’t  follow  the  rules. 

LESSON  TWO.  Unattended  risk  is  unaccept¬ 
able.  The  concept  of  corporate  governance  is 
morphing.  Events  have  moved  insurers,  share¬ 
holders,  regulators,  legislators  and  directors 
to  a  much  lower  tolerance  for  risk-taking— 
both  from  a  personal  and  corporate  per- 


intend  to  do  about  noncompliance.  That  is 
where  your  success  at  selling  the  policy  to 
top  management  and  then  communicating 
expectations  to  employees  is  key  to  effec¬ 
tiveness. 

LESSON  FIVE.  Do  your  homework  and  frame 
the  business  case  for  a  policy.  Isn’t  it  amaz¬ 
ing  that  when  we  catch  an  hourly  employee 
doing  something  wrong  we  have  to  hold 
management  back  from  sending  him  to  the 
gallows?  But  what  happens  when  it’s  one  of 
their  own?  “Do  you  realize  how  valuable  this 
guy  is?”  they’ll  ask  incredulously. 

I’ve  had  more  than  my  share  of  time  in 
the  hot  seat  on  issues  such  as  that,  and  my 
best  ally  has  always  been  our  employment 
law  counsel.  (I’ve  not  had  the  same  luck  with 
HR  types.)  The  lawyers  know  that  uneven 
application  of  sanctions  is  an  invitation  to  a 
lawsuit.  General  counsel  should  be  in  the 
loop  on  all  policies  that  carry  the  potential  for 


Isn’t  it  amazing  that  when  we  catch  an  hourly  employee  doing 
something  wrong  we  have  to  hold  management  back  from  sendinghim  to 
the  gallows?  But  what  happens  when  it’s  one  of  their  own? 


information  security  realm  is  automated.  A 
number  of  products  can  be  deployed  to  mon¬ 
itor  and  report  on  rule  infractions.  Both  log¬ 
ical  and  physical  access  and  intrusion 
detection  are  highly  sophisticated  and  online. 
A  variety  of  business  process  anomalies  are 
identified  with  smart-transaction  monitor¬ 
ing.  Internal  and  external  audits  will  assess 
and  confirm  compliance,  and  our  investiga¬ 
tions  will  reveal  where  policies  were  not  fol¬ 
lowed.  In  short,  a  huge  portion  of  the  policy 
landscape  is— or  can  be— tested  in  real-time 
for  conformance.  Unfortunately,  we  aren’t 
so  easily  able  to  do  that  with  infractions  of 
business  and  professional  conduct  policy, 
which  is  a  huge  element  in  your  company’s 
reputational  risk. 

So  here  we  are  with  a  comprehensive  set  of 
governance  and  asset  protection  policies  and 
options  for  measuring  compliance.  But  what 
about  enforcement  and  sanctions?  The  devil, 
of  course,  is  in  the  details. 

Policies  set  expectations  and  assign 


spective.  Consequences  are  shifting  to  officers, 
directors  and  audit  committee  members  who 
are  now  held  accountable  when  bad  things 
happen. 

LESSON  THREE.  An  uncommunicated  policy 
does  not  exist.  The  more  that  policies  are 
clearly  tied  to  well-communicated,  higher 
likelihood  risks,  the  more  our  constituents 
will  understand  and  comply.  Are  you  sur¬ 
prised  that  a  policy  on  testing  business  con¬ 
tinuity  plans  or  building  evacuations  might 
have  sold  shortly  after  9/H  to  the  same  peo¬ 
ple  who  put  up  a  fight  when  we  called  an 
annual  drill  a  few  months  prior? 

LESSON  FOUR.  The  masses  know  when  poli¬ 
cies  are  hollow  or  inequitably  enforced.  It’s 
the  idea  of  enforcement  that  causes  the  kinds 
of  reactions  we  often  get  from  our  customers. 
With  pressure  from  insurers,  regulators  and 
boards,  frequency  of  cyberattacks  and  a 
raised  bar  on  risk  management,  I  think  we’re 
beyond  having  to  justify  an  inventory  of  secu¬ 
rity  policies.  The  rub  is  around  what  you 


employee  sanctions.  You  should  be  playing 
out  “what  if’  scenarios  and  driving  mutual 
stakes  in  the  ground  on  how  infractions  will 
be  pursued— regardless  of  rank.  If  you  think 
there  is  an  elitist  culture  working  overtime  at 
your  company,  you’d  also  do  well  to  think 
hard  on  how  you  approach  the  investigation 
of  white-collar  wrongdoing.  Findings  need  to 
be  bulletproof. 

Meaningful  sanctions  are  at  work  when 
someone  at  the  accountable  management 
level  (on  his  watch)  gets  his  bonus  croaked  or 
gets  fired.  I  heard  a  story  about  one  executive 
who  was  so  careless  with  his  laptop  that,  two 
weeks  after  his  first  one  was  stolen,  his 
replacement  was  also  taken.  Both  had  highly 
proprietary  data  on  them.  He  was  sacked. 
You  better  believe  that  message  was  not  lost 
on  the  survivors. 

So  let  it  be  written.  So  let  it  be  done.  ■ 

This  column  is  written  anonymously  by  a  real  CSO.  For 
reader  feedback,  e-mail  us  at  csoundercover  ? cxo.com. 
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INFORMATION 

SECURITY 

EXECUTIVE 

OF  THE  YEAR 

IN  A  GEORGIA  S 

ward 


Thursday  March  1 8th,  2004 


Information  Security  Executive  of  the  Year  in  Georgia™  honors  the 
achievements  of  today's  information  security  pioneers  and  recognizes 
excellence  in  managing  enterprise-wide  network  and  internet  security 
sytems.  Join  us  at  Atlanta's  historic  Fox  Theatre  on  March  18,  2004, 
when  we  celebrate  these  forward  thinking  individuals. 


Special  Presentations  from: 


Thomas  E.  Noonan 
President  and  CEO 
Internet  Security  Systems,  Inc 


Richard  H.  Marshall 
Former  Deputy  Director 
Critical  Infrastructure 
Assurance  Office  (CIAO) 


Russ  Artzt 

Executive  Vice  President 
eTrust  Solutions 
Computer  Associates 


Hosted  by 

r  a 

L_  /  \ 

EXECUTIVE  ALLIANCE 


Nominate  your  Chief  Security  Officer,  or  executive  in  an  equivalent  position  for  the  Information  Security 
Executive  of  the  Year  in  Georgia  for  2004.  Nomination  forms  are  online  at  www.infosecaward.com. 
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TechLINKS 

Only  a  few  sponsorship 
packages  remain.  Coll 
404.982.8562  or  email 

info@infosecaward.com 
for  more  information. 


The  right  management  should  do  more  than  just  protect. 

It  should  also  enable. 

eTrust™  Security  Management  Software 

With  eTrust  security  management  software,  your  information  isn't  just  safeguarded  from  internal  and  external  threats. 
We  provide  authorized  customers,  partners,  and  employees  with  appropriate  access  that  can  help  your  business  grow. 
In  addition  to  securing  data,  eTrust  also  provides  a  single  view  of  your  security  environment,  so  you  can  make  real-time 
decisions  based  on  comprehensive  information.  If  you're  looking  for  ways  to  minimize  risk  while  maximizing  your 
potential,  or  to  get  a  white  paper,  go  to  ca.com/security. 
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